Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Open Source Security Tools

Introduction to Open Source Security Tools

My GitHub webcast for Cyber Security Month.

Scott J. Roberts

October 19, 2017
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. Introduction to Open
    Source Security Tools
    Running awesome open source security projects

    View Slide

  2. Intro: @sroberts
    • Scott J Roberts
    • Security Ops Manager: Response
    • With GitHub 5 years
    • Python, Golang, & JavaScript Developer
    • Author of O’Reilly’s Intelligence Driven
    Incident Response with @pdxbek

    View Slide

  3. Intro: This Talk
    • Our favorite Open Source Security Tools
    • The project, people, tech, & involvement
    • Protecting your Code on GitHub
    • What Makes Awesome Open Source
    Projects

    View Slide

  4. facebook/osquery
    SQL powered operating system
    instrumentation, monitoring, and analytics.

    View Slide

  5. The Project
    • Corporate sponsored project
    • System level service
    • Open sourced an internal tool

    View Slide

  6. facebook/osquery: what?
    • osquery is an operating system instrumentation framework
    for OS X/macOS, Windows, and Linux. The tools make low-
    level operating system analytics and monitoring both
    performant and intuitive.
    • Billed at “Deployable, Flexible, Fast and Tested”
    • Allows a system (or collection of systems) to be interrogated as
    a series of SQL tables

    View Slide

  7. facebook/osquery: who?
    • Sponsored & managed by Facebook
    • 163 total contributors to facebook/osquery
    • Multiple open (and closed) source 3rd party related tools
    • Active Slack Channel with 599 members

    View Slide

  8. facebook/osquery: tech?
    • Built using C++
    • Data storage via Facebook’s RocksDB
    • Aimed at MacOS & Linux originally, ported to Windows by
    Trail Of Bits

    View Slide

  9. facebook/osquery: demo

    View Slide

  10. facebook/osquery: demo

    View Slide

  11. facebook/osquery: involved
    • 4018 commits*
    • 2360 PRs Closed (20 Open)
    • 1318 Issues Closed (104 Open)
    • Check labels easy and good-first-issue
    • osquery.io & github.com/facebook/osquery
    * All stats as of 2017-10-18 ~20:00 GMT

    View Slide

  12. gchq/cyberchef
    The Cyber Swiss Army Knife - a web app for
    encryption, encoding, compression and data
    analysis

    View Slide

  13. The Project
    • Client side, browser based data manipulation UI
    • Packaged as a single HTML document with JS & CSS
    • Internally built and open sourced by a large organization

    View Slide

  14. gchq/cyberchef: what?
    • The Cyber Swiss Army Knife - a web app for encryption,
    encoding, compression and data analysis
    • An analyst centric web browser based tool for common data
    manipulation used in investigations

    View Slide

  15. gchq/cyberchef: who?
    • GCHQ - United Kingdom’s Signals Intelligence & Information
    Assurance organization
    • 15 contributors

    View Slide

  16. gchq/cyberchef: tech?
    • JavaScript (with Babel), HTML, & CSS (via Less) packaged
    together
    • jquery & Bootstrap
    • Automation: Grunt & Webpack

    View Slide

  17. gchq/cyberchef: demo

    View Slide

  18. gchq/cyberchef: demo

    View Slide

  19. gchq/cyberchef: demo

    View Slide

  20. gchq/cyberchef: demo

    View Slide

  21. gchq/cyberchef: demo

    View Slide

  22. gchq/cyberchef: demo

    View Slide

  23. gchq/cyberchef: demo

    View Slide

  24. gchq/cyberchef: demo

    View Slide

  25. gchq/cyberchef: demo

    View Slide

  26. gchq/cyberchef: demo

    View Slide

  27. gchq/cyberchef: involved
    • 634 commits
    • 98 PRs Closed (5 Open)
    • 75 Issues Closed (19 Open)
    • Check labels help wanted
    • gchq.github.io/CyberChef/ & github.com/gchq/cyberchef

    View Slide

  28. phillipmartin/
    gopassivedns
    PassiveDNS in Go

    View Slide

  29. The Project
    • Created by an individual (Phillip!) for their own needs
    • A modern rewrite of legacy gamelinux/passivedns
    • Infrastructure Micro Service
    • Demonstrates the power one developer can have solving
    their own problem and sharing the result

    View Slide

  30. phillipmartin/gopassivedns: what?
    • Network-based DNS logging in Go
    • Listens on the network for DNS lookups and logging results

    View Slide

  31. phillipmartin/gopassivedns: who?
    • Created by an individual (Phillip!) for their own need
    • Four Contributors
    • No corporate sponsorship

    View Slide

  32. phillipmartin/gopassivedns: tech?
    • Pure Golang
    • Integrates with libpcap & libpcap-dev
    • Outputs to syslog & kafka

    View Slide

  33. phillipmartin/gopassivedns: demo

    View Slide

  34. phillipmartin/gopassivedns: involved
    • 54 commits
    • 11 PRs Closed (1 Open)
    • 10 Issues Closed (11 Open)
    • Check labels help wanted
    • https://github.com/phillipmartin/gopassivedns

    View Slide

  35. trailofbits/algo
    Set up a personal IPSEC VPN in the cloud

    View Slide

  36. The Project
    • Infrastructure as Code
    • Open source replacement for closed source tools
    • Built by a security consultancy and research organization
    then shared as open source

    View Slide

  37. trailofbits/algo: what?
    • Set up a personal IPSEC VPN in the cloud
    • Ansible playbooks for creating a preconfigured IPSec VPN
    service on personal hardware or cloud providers

    View Slide

  38. trailofbits/algo: who?
    • Trail of Bits
    • 64 contributors

    View Slide

  39. trailofbits/algo: tech?
    • Ansible Playbooks
    • Built for running with cloud platforms like DigitalOcean,
    Azure, EC2.

    View Slide

  40. trailofbits/algo: demo
    • N/A… but try it!

    View Slide

  41. trailofbits/algo: involved
    • 691 commits
    • 172 PRs Closed (3 Open)
    • 464 Issues Closed (57 Open)
    • Check labels documentation
    • github.com/trailofbits/algo

    View Slide

  42. Yara-Rules/rules
    Repository of yara rules

    View Slide

  43. The Project
    • Detection as Code
    • Showing how to share not just tools but indicators of
    compromise

    View Slide

  44. Yara-Rules/rules: what?
    • Repository of yara rules
    • Yara is “The pattern matching swiss knife for malware
    researchers” (See virustotal.github.io/yara for more)
    • “Antivirus you update with at git pull” ~@tomchop_
    • Makes it easier to identify malware or malicious patterns in
    various tools

    View Slide

  45. Yara-Rules/rules: who?
    • Community Driven Project
    • 41 Contributors

    View Slide

  46. Yara-Rules/rules: tech?
    • Yara + Shell for Testing
    • Travis for Continuous Integration

    View Slide

  47. Yara-Rules/rules: demo

    View Slide

  48. Yara-Rules/rules: demo

    View Slide

  49. Yara-Rules/rules: involved
    • 1414 commits
    • 130 PRs Closed (1 Open)
    • 139 Issues Closed (2 Open)
    • Check labels help wanted
    • github.com/Yara-Rules/rules & http://yararules.com/

    View Slide

  50. Running Awesome
    Open Source Projects

    View Slide

  51. As a Contributor
    • Fix your own problems.
    • Documentation & testing are highly underrated!
    • Look for issues marked help wanted.
    • Get involved and create something!

    View Slide

  52. As a Maintainer
    • Consistency is huge. Get others involved as necessary.
    • Even if it means passing off a project.
    • Set expectations for contribution and behavior.
    • Mark issues for new contributors like help wanted or good first
    issue.
    • Use the tools: project boards, issue templates, CI, etc.

    View Slide

  53. Keeping Open (& Closed)
    Code Secure on GitHub

    View Slide

  54. Securing GitHub Accounts
    • Strong Passwords
    • 2FA (U2F or TOTP (and technically SMS))
    • Emails, keys, & Applications

    View Slide

  55. Securing Organizations
    • Audit Collaborators
    • Audit Integrations
    • Enable 2FA Enforcement
    • Require Application Approval
    • Use Single Sign On/SAML

    View Slide

  56. Securing Repositories
    • Audit Collaborators
    • Use Protected Branches
    • Audit Webhooks, Integrations, & Deploy Keys
    • https://www.bountysource.com/

    View Slide

  57. Testing & CI
    • Use tests to ensure code does what you expect
    • Require tests for new code
    • Require passing CI before merging
    • Static Analysis Tools like presidentbeef/breakman
    • See github.com/mre/awesome-static-analysis

    View Slide

  58. Community Management & Engagement
    • Comprehensive README describing the project & direction
    • Be responsive in issues & pull requests
    • Set expectations & hold people to expectations
    • Call out easy places to get started
    • Try: github.com/pennwynn/flint

    View Slide

  59. Hacktoberfest
    • Sponsored by DigitalOcean
    • Search: “label:hacktoberfest
    state:open type:issue”

    View Slide

  60. Security Showcase & Awesome Lists
    • https://github.com/sbilly/awesome-security
    • https://github.com/rshipp/awesome-malware-analysis
    • https://github.com/meirwah/awesome-incident-response
    • https://github.com/enaqx/awesome-pentest
    • https://github.com/InQuest/awesome-yara

    View Slide

  61. Check out https://guides.github.com/
    &
    https://git.io/vdQr3

    Now go help build something awesome!

    View Slide

  62. Questions?
    Use the GoToWebinar Interface

    View Slide

  63. View Slide