Hackitect (3 Part Series)
As I promised in my first article https://www.linkedin.com/pulse/hackitect-journey-mission-marek-%C5%A1ottl-ceh-cissp/ here is Cyber security open source animal ZOO. This article will not lead you to known and most market breaking open source, but it will lead to different cyber animal useful for day to day job of Hackitect. List is not limited to my selection. So feel free to share your stuff and thoughts about what is missing.
To erase the idea that IT supports the business. We need to understand that security became function. Function requirement in essence. Then we need to understand that security is here to enable the business not support. To enable the business, we need to forget what we know and look for unusual solutions.
I remember few projects done by this great tool. In-house phishing became easy and fun after open source like this. You can track user behavior, locations, data sent etc. Everything with one server and one open source solution (with cool GUI). Data from campaign can be easily exported to csv.
Campaign is written in classical HTML and CSS, but is you don’t have knowledge in this area you can easily copy existing system and trick your victims. Emails are easy to create too. System have predefined templates. Codified templates! All the spear, targeted and massive phishing campaigns became fun part of your job.
Phishing master can get the information about email status. Email can be sent, opened, clicked and even data sent (can be anonymized - GDPR ready!). All of this in one package.
Forensic beast hard to spot in free security office. Yes, this is Volatility engine. This tool is fantastic open source memory forensic. Last release is version 2.6 from 2016. Not the best, however is you have machines affected by malware and want to focus on RAM forensics, not bad. As majority of the security tools this Cyber toy is coded in python.
Interested in more? Do you like to play and using mutex values to find malware? Look here: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
If you are looking for perfect tooling and architecture for benchmarking you are on the right track. If you want to run for example audits in your AWS Lambda or Azure Functions as serverless solutions reporting directly to CloudWatch you are already reaching the cyber grail of Cloudification.
Do you remember the tool named lynis? Perfect audit and benchmarking instrument for linux. Easy to use and implement. If you are big fan of containers this two head snake (giant) is absolutely your choice. Tools Kube-bench and docker-bench are providing comprehensive audit of containerized system. Dockerbench is inspired by CIS (Center for internet security). You can find this project on Github : https://github.com/docker/docker-bench-security . Dockerbench is checking common best practices related with OS configuration and security. (iptalbes, partitions, directory permissions etc.) On other side is Kubenech which is benchmarking kubernetes implementations. Kubebench is too on Github: https://github.com/aquasecurity/kube-bench. Test are written in absolutely awesome coding language named YAML. Whole framework is constructed by GO. For GO fans, perfect news and challenge to start to contribute. All the checks are inspired by CIS kubernetes benchmark.
This is my favorite cyber animal. If you are pentester, architect or mail if you are HACKITECT, then start to sharp your mind. Perfect installation is in ubuntu with docker. This pentesting framework for mobile apps is used even by multiple consulting companies (easy to read from their reports). In few seconds you get decompiled application with source code review and recommendation what to do.
Really good feature is dynamic analysis for those who like to explore more. This framework supports iOS (ipa), Android (apk) and Windows phone apps (appx). If you did not started to install, you still have chance.
MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. MobSF have even the Web API. What else you can wish.
OK, OK, OK now we are getting serious. Do you know block chain? YES. This cool and fancy buzzword for 2018. There are people on this planet who want to really make it useful. Sovrin is public blockchain identity implementation build on DID (distributed identifiers) Data models and syntax avalible here: https://w3c-ccg.github.io/did-spec/ . Sovrin is built by open source Hyperledger Indy. Self-sovereign identities can be the future of decentralized Active directory like systems providing secured and immutable identities and identity management features. More details are for separate article.
Last more philosophic question is, do you think that dinosaur technologies like AD will survive the age of digital transformations, the age of self-sovereign identity?
Infrastructure as the code is topic which cannot be forgotten in these days. If you know Terrafom from Hasicorp, you will know Vault too. Secure storage for all the sensitive credentials, tokens and key materials.
Vault project provides not only storage but too enrollment of AWS credentials, keys, SSH credentials or X.509 certificates. Looking for more? Here is the reference architecture: https://www.vaultproject.io/guides/operations/reference-architecture.html
Security and architecture as a code is a basic todays need. There will be no more talkers, there will be more people who deliver value. Inspec is an instrument for compliance, or audit if you wish, as a code. More guides and information is available on https://www.inspec.io/. This framework is made by Chef Community. So thank you! In supported platforms are cloud Environments like AWS and Azure, even containers and infrastructure. Results can be exported to JUnit format and consumed by your continuous integration / development. For shell fun you can play with InSpec Shell.
Audit and security as we know is moving to new standards. I am happy of that.
Looking for solution for source code review. Sonarcube is not the best but it will help you to get insight in your code. Sonarcube can be integrated with enterprise CI/CD solutions (Jenkins, Azure DevOps, Team city and others). Socarcube guys describes themselves as continuos inspection. Sonar is not targeted against security problems (only part of it). So don’t expect features like Fortify or Checkmarx. Great stuff is that there are several opensource plugins: https://redirect.sonarsource.com/doc/plugin-library.html . This Tool supports multiple languages.
Full list is listed here : https://www.sonarqube.org/features/multi-languages/.
Big companies are working with the comminuty too. Netflix is typical example.
Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations.
Grat is that security monkey can be used for multicloud solutions. I was looking realy long time for AWS security checks automation. If you are creating lambda based security or better said event driven security you must search deep in github to get your aswers or sit and start to code. (God bless you). Netflix statement is: "Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories."
With today's automation, companies are trying to improve their CI / CD. This is greatly assisted by AWS (Code commit, code deploy) and Azure (Azure DevOps) tools. At a time when we want to integrate SSDLC security into the lifecycle of projects, we need to automate security checks. An excellent tool is a secure codebox that integrates small tools like nmap, nmap, sslyze, wpscan, ZAP proxy etc.
The source code is available at
Whole system is based on microservice architecture. Every modern agile Hackitect will choose similar microservice architecture for DevSecOps / SecDevOps.
This article is living creature so i will edit add and improve it to make everything accurate and correct.
Honorable mentinons (not the real zoo):
- OWASP ZAP proxy
- ELK stack (Elastic serach, kibana, logstash)