An increasing number of organizations and companies (including the federal government) rely on open-source projects in their security operations architecture, secure development tools, and beyond.
Open-source solutions offer numerous advantages to development-savvy teams ready to take ownership of their security challenges. Teams can implement them to provide foundational capabilities, like “process logs” or “access machine state,” swiftly; no need to wait for purchasing approval. They can build custom components on top of open-source code to fit their company’s needs perfectly. Furthermore, open-source solutions are transparent, ‘return’ great value for dollars spent (since investment makes the tool better rather than paying for a license), and receive maintenance from a community of fellow users.
What’s the catch?
Open source can potentially mean faster, easier, and better solutions, but there’s one thing missing: Expert engineering support.
How do you pick the right tool for your needs? How do you know this open-source solution works? That it’s safe? What do you do when no one fixes reported bugs? What do you do when you need a new killer feature but no one in your company can build it? What happens when breaking changes are introduced and you need to upgrade?
How we can help
We’re security researchers who specialize in evaluating the security of code and building security solutions. If you want to leverage open-source security technology, we can help you pick the right tool, clean up technical debt, build new necessary features, and maintain it for you. Our developers fix bugs, update out-of-date components or practices, harden vulnerable code, and, when necessary, can re-engineer things completely. We provide the way forward through all your show-stopping issues.
How can I ensure this open-source project is right for my needs? We can find open-source solutions that best suit the needs of your organization. We can polish up whatever needs fixing, build new essential features, and then maintain your final solution.
What if I need a new feature? Whether it’s porting software to a new OS, integrating the tool with others in your stack, or leveraging an existing tool for a new use case, our team are experts at building security solutions. Once built, we work with the open source project teams to merge features into public repos so the features are continuously maintained through updates.
How can I fix known bugs? We can fix them and work through technical debt to prevent more bugs in the future.
What if breaking changes are introduced in open-source dependencies? We can re-engineer solutions to maintain functionality.
Is the open-source software safe? We can review it for security best practices, ensure there’s no malicious code, and harden the code to minimize risk to your company.
How do I know this open-source solution works? We can review its code, understand the mechanics of how it works, and test edge cases to confirm consistent intended behavior. If we find anything broken or poorly-engineered, we can fix it. If the project is truly beyond repair, we can completely engineer the system to work for your organization.
How we do it
We’ve begun hosting support groups for companies leveraging open-source technology in three areas:
- Security Operations: this team supports technology that keep company fleets and users safe from network-level attacks.
- Secure Development: this team automates software testing, hardens software, and builds security into modern development practices.
- Core Infrastructure: this team improves essential core infrastructure that requires maintenance or re-engineering to mitigate newly discovered attacks.
For each group, we help clients pick the best open-source project to suit their needs, update and fix needed functionality, build custom features to perfectly fit client requirements, and maintain the technology so that it’s effective and safe.
Take a look at some examples of our Security Operations group’s success stories:
Endpoint monitoring tool that transforms your fleets’ system data into a queryable database.
Successes so far:
- Ported osquery to Windows.
- Completely redesigned the Audit backend and added a new Audit-based File Integrity Monitoring table.
- Implemented a new table to capture SELinux events.
- Added Windows Event Log Logger plugin and Firehose/Kinesis support for Windows.
- Created the Trail of Bits Extension Repo to enable firewall management, Santa whitelisting integration, and more.
- Enabled safe write-access for osquery extensions.
- Implemented extension bundling, in order to merge multiple extensions into a single binary.
- Added Authenticode verification support for Windows.
A serverless, real-time data analysis framework which empowers users to ingest, analyze, and set up alerts on data from any environment, using customized data sources and alerting logic.
Successes so far:
- Added an app (a.k.a. integration) that collects access and integrations logs from Slack.
- Added an app that collects ActionTrail events from Aliyun.
A binary whitelisting/blacklisting system for macOS that helps administrators track naughty or nice binaries.
Successes so far:
- Created an extension for integrating Santa with osquery, also capable of managing endpoint configuration.
- Added support for CMake and fuzzing.
- Improved privilege separation by adding support for unprivileged XPC interfaces, introduced in MOLXPCConnection 1.2.
Google Omaha + CrystalNix Omaha Server
The open-source version of Google Update. Developers can use it to install requested software and keep it up to date. (This set of enhancements is being publicly released soon)
Successes so far:
- Created scripts to simplify the build process.
- Simplified the process of rebranding Omaha to work with a custom Omaha server.
- Added support in the CrystalNix Omaha server to support the latest Google Omaha client with SHA256.
Where we’d like to help next
There’s still so much room for improvement both in the security posture of companies that leverage open-source tooling and the technologies’ capabilities. In security operations, we can leverage promising open-source technology for memory forensics, user account takeover, binary analysis, and secret management. We can enhance software testing capabilities in fuzzing, symbolic execution, and binary lifting. We can wipe out industry-wide attack risks by re-engineering, improving, and maintaining widely-adopted tools for forensics, package management, and PDF parsing.
How can we help you?
How can we help make open-source security solutions work better for you? Let us know!
*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored by Lauren Pearl. Read the original post at: https://blog.trailofbits.com/2018/08/22/get-an-open-source-security-multiplier/