Fantastic Open Source Cybersecurity Tools and Where to Find Them | Data Center Knowledge
Open source is a double-edged sword for information security.
On the one hand, security professionals rely on countless open source security software tools, frameworks, and data exchange and intelligence platforms to carry out their work.
On the other hand, attackers have access to the same tools. In addition, open source software, both in security operations and elsewhere in the data center, can pose security risks.
The Importance of Open Source Tools
According to a survey released late last month by Aqua Security, most security professionals are in favor of using open source security software and tools.
In the 100 CISO survey of Fortune 1000 companies, 70% said that open source security solutions offered a faster way to protect their environments and 78% said they offered the latest and greatest innovations in cloud security.
“Open source permeates the data center,” said Mike Parkin, a cyber engineer at Vulcan Cyber. “If you use tools to monitor your data center, many of them are open source. I was a penetration tester and there are a lot of open source tools in this world.”
Parkin suggested that to get acquainted with the topic, one resource to get started is the list of free OWASP open source application security tools.
The SANS Institute also has a collection of open source security tools created by its instructors, he added.
The downside to using open source security software is that support may not be available, he said. Smaller niche tools may have small user communities and few third-party experts ready to step in and help.
Others, however, have sellers behind them.
“There are a good number of companies whose full business model is based on helping to deploy, maintain and service a particular open source project,” Parkin said. “If you’re using a purely open source project, that level of commercial support isn’t there. It means you’ll need internal talent that is comfortable and able to keep an open source tool.”
Vulcan Cyber publishes its own list of open source tools for cyber risk assessment and mitigation.
Bishop Fox security testing firm also has another list of open source tools, this one specifically around ransomware, with the pros and cons of each tool.
Security frameworks and information exchange
The MITER ATT & CK framework developed by the nonprofit corporation MITER is widely recognized as the gold standard in cybersecurity.
“It’s a knowledge base of all the things hackers usually do,” said Derek Rush, Bishop Fox’s management consultant.
ATT & CK is currently the most effective framework we have, he said Knowledge of the data center. “It covers tactics, techniques and procedures, with details of each attack and indicators of engagement.”
The MITER Corporation is also one of the sponsors of the CVE list, which is sponsored by the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Agency. Its mission is to identify, define and catalog publicly disclosed cybersecurity vulnerabilities; currently catalogs more than 175,000 common vulnerabilities and disclosures.
The CVE program has more than 200 participants, including the Apache Software Foundation, Apple, Google, IBM, Intel, Microsoft, Red Hat, and the Zero Day Initiative.
Another valuable resource for security professionals is the MISP open source threat intelligence product.
There are other industry and government groups that share information about threats, Rush said.
Organizations benefit greatly when intelligence on threats is stored and shared among the community, said Sanjay Raja, Gurucul’s vice president of product.
“This can provide immediate protection or detection capabilities,” he said. “While it reduces the dependency on vendors who often don’t provide updates to systems, for weeks or even months.”
For example, CISA has an automated indicator sharing platform. Meanwhile, in Canada, there is the Canadian Cyber Threat Exchange.
“These platforms enable the real-time exchange and consumption of automated, machine-readable feeds,” said Isabelle Hertanto, principal investigator of security and privacy practice at Info-Tech Research Group.
He said this steady stream of compromise indicators can help security teams respond to network security threats. Knowledge of the data center.
In fact, the problem is not the lack of intelligence data from open source threats, but an overabundance, he said. To help data center security teams cope, vendors are developing AI-based solutions to aggregate and process all of this information.
“We see this capability integrated into next-generation commercial firewalls and new SIEM and SOAR platforms,” Hertanto said.
He also expects these services to be offered by managed security service providers.
Open source security threats
According to the 2021 Synopsys Open Source Risk Analysis and Security Report, 98 percent of enterprise software projects, both internal and commercial, contain some open source.
“Virtually any software originated in open source somewhere,” said Prakash Sutheraman, CISO of CloudBees, a business software delivery company.
CloudBees himself is the creator of Jenkins, the dominant software delivery lifecycle automation tool.
Open source software can be vulnerable, Sutherman said. Many people believe that open source is safe because anyone can look at the code and examine it for vulnerabilities. But that doesn’t mean people should.
Take the recent Log4j vulnerability, for example.
“I haven’t found anyone who can tell me how Log4j really works, who has looked at the source code,” Sutheraman said. “No one looked at the package. They just thought it was okay.”
Smaller packages with few maintainers are especially problematic. Attackers can use various methods to try to inject malicious code into the software.
“But with most major packages, like Jenkins for example, there are a lot of controls and balances,” he said. “We have dedicated security specialists to make sure Jenkins is safe. That’s true for most large open source projects. They take security very seriously.”
Any business software could become the entry point for an attack. But when security software is used for this purpose, the threat increases because security tools typically have access to very sensitive areas and systems.
Of course, it’s not just open source security that targets attackers. SolarWinds, which suffered a major hit in 2020, causing thousands of its customers to be raped, was a commercial network security product. Therefore, avoiding open source does not guarantee security.
Instead, data centers should practice basic hygiene when it comes to using open source software, including open source security tools.
“The first question should be the discovery,” said Moshe Zioni, vice president of security research at Apiiro, a company that helps security teams manage open source vulnerabilities. “No one really knows what it’s being used for. So what kind of risks are we taking and how do we measure that risk?”
For example, he said, companies could consider maintaining a certain open source tool or establishing a registry of approved software packages.
Few companies have the resources to review and evaluate all possible open source software packages that could be used in their environments. It would be helpful to have a public risk scoring system for open source software, similar to a credit rating.
“There are several that are being discussed,” Zioni said. “OpenSSF is trying to do just that, to assess the risks of open source packages.”
Last Thursday, OpenSSF, the Linux Foundation, CISA, NIST and other groups met in Washington, DC and announced a $ 150 million plan to secure open source software.
“It’s rare to see competitors from industry, government and various open source ecosystems come together for the common good,” said Brian Fox, a member of Sonatype’s OpenSSF and CTO board. “It shows how big a problem we have to solve to secure open source.”
Amazon, Ericsson, Google, Intel, Microsoft and VMware have collectively pledged more than $ 30 million for the effort.
“No entity can solve it alone,” Fox said Knowledge of the data center.