6 Open Source Tools for Your Security Team
Open source tools can be great additions to your cloud security arsenal. Here are a half-dozen to get you started.
January 6, 2021
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc6dd14901e822232/64f0d35a8f623446b4111d72/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Open source tools are a fact of life in application development. A growing number of open source security tools makes the noncommercial license a realistic option for more security teams.
Traditionally, open source tools have been viewed as options for academic institutions and smaller companies. But current-generation open source tools, developed with an emphasis on scale and deployment flexibility, have been developed with larger enterprises in mind.
Dark Reading looked at a range of tools and system across the open source landscape to find a half-dozen that enterprise security teams will want to know about. Several are at the beginning of their product lives; one is at the end, though it is still useful. In most cases, these tools compete against commercial offerings, though in every case the open source option provides qualities (aside from purchase price) that make them worthy of consideration for specific situations.
How is your security team using open source tools? Are they for specific purposes, the majority of the enterprise security tool set, or not sufficiently reliable to be on the enterprise roster at all? Let us know in the Comments section, below.
(Image: WrightStudio VIA Adobe Stock)
The Janssen Project tackles the authentication and authorization aspects of cloud security. The project's components include various implementations of the OAuth, OpenID Connect, and FIDO standards.
Janssen is a Linux Foundation project and, as such, is governed according to the foundation's charter. Ultimately, the project's goals include coalescing a community and fostering an ecosystem rather than simply putting a product or collection of technologies into the market.
But more than simply an authorization and authentication server, Janssen provides the components for a scalable, centralized authentication and authorization service. While the project acknowledges that a number of commercial (and even other open source) authentication systems are available, Janssen is intended to be highly scalable, highly available, and highly flexible, with special attention paid to organizations with huge volumes of concurrent user loads or large fleets of Internet of Things (IoT) devices that need to be authenticated and authorized onto the network.
OSSEC is an open source, host-based intrusion detection system (HIDS). It is widely used, very scalable, and multiplatform, making it well-suited for deployment on a cloud-based infrastructure.
OSSEC has a huge user base, with more than 500,000 downloads each year, as reported by the OSSEC project team. One of OSSEC's strengths is that it can be used both as an IDS and as an analytics engine, allowing for analysis of firewall, IDS, web server, and authentication logs.
As an open source project distributed under the GNU GPL V2 license, OSSEC can be readily modified to fit an organization's specific needs. In standard configurations, OSSEC provides intrusion, rootlet, and malware detection; active response to attacks and unauthorized system changes; and compliance auditing.
Security Monkey is one of the tools to come out of the Netflix "chaos engineering" discipline that also released Chaos Gorilla, the successor to Security Monkey. Together, they're referred to as the "Simian Army" that tests the Netflix infrastructure for weakness and redundancy.
At its core, Security Monkey randomly reboots the servers in a cloud infrastructure. This provides a company with information on whether the application delivery network can withstand the loss of any particular server.
In order to provide the random reboot capability, Security Monkey can also monitor a cloud infrastructure for configuration changes, server additions, and server performance parameters, Even if a company doesn't use the random reboot capabilities, the Simian Army can provide valuable system- and configuration-monitoring capabilities.
Cartography is a security graph tool that enables a broad set of network exploration scenarios. For cloud security professionals, one of the valuable tasks Cartography can provide is illuminating the relationships that exist between the various nodes in an application delivery network.
Cartography is written in Python and uses a neo4j database to store data on the nodes in the network and control how they're displayed. Cartography supports platforms that include Amazon Web Services (EC2, Elasticsearch, Elastic Kubernetes Service, DynamoDB, IAM, Lambda, RDS, Redshift, Route53, S3, STS, and Tags), and the Google Cloud Platform (Cloud Resource Manager, Compute, DNS, Storage, and Google Kubernetes Engine).
While Security Monkey, Chaos Gorilla, and the Simian Army came out of Netflix's labs, Cartography was developed as an open source tool by Lyft. It can be used for both security functions and as a risk assessment tool, showing (or confirming) relationships between application nodes that can indicate the level of risk for network components and the network as a whole.
Grapl is a security data analytics program that differs from most of the other open source security products in one key way: Rather than using a relational database as the mechanism for storing data, Grapl uses graphs -- a data structure using nodes and edges, in which nodes are the individual data entities and edges are the relationships between nodes.
Grapl will take data from log files -- data usually stored in list format -- and convert them into graphs. Once in graph form, relationships between individual nodes can be more readily seen. Attacker behaviors that take advantage of these relationships can also be realized and modeled. Security teams can use the models to plan defenses and analyze complex attacker behavior to prepare for future attacks.
Grapl is a young program that is changing rapidly and not at a stable 1.0 release status. It is functional, though, and even in its existing state will provide security teams with the opportunity to learn how graphs can be used within their professional practices.
Panther is a self-hosted, open source security information and event management (SIEM) tool based on Python. The system, launched in 2020 by Panther Labs, can analyze logs from many different security tools -- such as OSSEC and osquery -- and cloud resources, including many of the services provided on AWS. In the analysis of the cloud resources, Panther can be configured with policies designed to help security analysts discover vulnerable infrastructure and develop new security best practices.
Panther is intended to provide features competitive with enterprise management and analysis products, like those from Splunk and LogRhythm. According to its documentation, Panther will identify misconfigurations, achieve compliance, and model security best practices in code.
Panther is available in three versions: Community (free), Team, and Pro. Team and Pro are paid licenses, with more data sources, additional capabilities, and more comprehensive support coming at the higher price points.
Panther is a self-hosted, open source security information and event management (SIEM) tool based on Python. The system, launched in 2020 by Panther Labs, can analyze logs from many different security tools -- such as OSSEC and osquery -- and cloud resources, including many of the services provided on AWS. In the analysis of the cloud resources, Panther can be configured with policies designed to help security analysts discover vulnerable infrastructure and develop new security best practices.
Panther is intended to provide features competitive with enterprise management and analysis products, like those from Splunk and LogRhythm. According to its documentation, Panther will identify misconfigurations, achieve compliance, and model security best practices in code.
Panther is available in three versions: Community (free), Team, and Pro. Team and Pro are paid licenses, with more data sources, additional capabilities, and more comprehensive support coming at the higher price points.
Open source tools are a fact of life in application development. A growing number of open source security tools makes the noncommercial license a realistic option for more security teams.
Traditionally, open source tools have been viewed as options for academic institutions and smaller companies. But current-generation open source tools, developed with an emphasis on scale and deployment flexibility, have been developed with larger enterprises in mind.
Dark Reading looked at a range of tools and system across the open source landscape to find a half-dozen that enterprise security teams will want to know about. Several are at the beginning of their product lives; one is at the end, though it is still useful. In most cases, these tools compete against commercial offerings, though in every case the open source option provides qualities (aside from purchase price) that make them worthy of consideration for specific situations.
How is your security team using open source tools? Are they for specific purposes, the majority of the enterprise security tool set, or not sufficiently reliable to be on the enterprise roster at all? Let us know in the Comments section, below.
(Image: WrightStudio VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024