企業安全公共能力開源化實現參考
通過開源項目實現企業安全,需要從辦公域、業務域的安全需求開發,注重業務生命周期的研發、集成運維階段的安全預防、檢測、處置技術公共能力建設,通過管理運營平台,覆蓋企業的信息化安全需求,具備攻擊能力,實現以攻為守,通過sorceforge、github最近3年內比較活躍的評價較高的項目梳理,形成本文,供參考。
圖一、開源項目分類全景圖
一、安全能力公共組件
圖二:安全公共能力組件
1 密碼技術
1.1 CA 中心
EJBCA is an enterprise class PKI Certificate Authority built on JEE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other JEE applications.
https://sourceforge.net/projects/ejbca/
1.2 簽名服務
The SignServer is an application for server side signatures called by other systems. It is flexible and can be customized to specific needs.
https://sourceforge.net/projects/signserver/
2 身份
2.1 單點登錄
Atricore’s JOSSO is an open source and commercially supported Internet Single Sign-On (FSSO) solution for point-and-click and standards-based (SAML2) Internet-scale SSO implementations.
https://sourceforge.net/projects/josso/
2 .2 身份管理
versatile identity management solution.
https://www.unity-idm.eu/
2.3 多因素認證
2.3.1 智能卡認證
Virtual Smart Card Architecture is an umbrella project for various projects concerned with the emulation of different types of smart card readers or smart cards themselves.
http://frankmorgner.github.io/vsmartcard/
2.3.2 指紋認證
SourceAFIS is a software library for human fingerprint recognition.
https://sourceforge.net/projects/sourceafis/
3 協議
3.1 可信計算
Integrity Measurement Architecture to know EXACTLY what has been run on your machine.
https://sourceforge.net/projects/linux-ima/
IBM's TPM 2.0 TSS
https://sourceforge.net/projects/ibmtpm20tss/
This is a user space TSS for TPM 2.0. It implements the functionality equivalent to (but not API compatible with) the TCG TSS working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a hopefully simpler interface.
Open Source Tripwire ® is a security and data integrity tool for monitoring and alerting on file & directory changes. This project is based on code originally contributed by Tripwire, Inc. in 2000.
https://github.com/Tripwire/tripwire-open-source
3.2 數據協議
gsoap toolkit development toolkit for web services and xml data bindings for c&C++,The gSOAP toolkit is an extensive suite of portable C and C++ software to develop XML Web services with powerful type-safe XML data bindings. Easy-to-use code-generator tools allow you to directly integrate XML data in C and C++. Serializes native application data in XML. Includes WSDL/XSD schema binding and auto-coding tools, stub/skeleton compiler, Web server integration with Apache module and IIS extension, high-performance XML processing with schema validation, fast MIME/MTOM streaming, SOAP and REST Web API development, WS-* protocols (WS-Security, WS-Policy, WS-ReliableMessaging, etc), XML-RPC and JSON. Licensed under GPLv2.
https://sourceforge.net/projects/gsoap2/
4 應用
4.1 微服務安全
Istio is an open platform for connecting, securing, and managing microservices. It provides a uniform way of integrating microservices, managing traffic flow, enforcing policies and aggregating telemetry data.
https://sourceforge.net/projects/istio.mirror/
https://github.com/spring-projects/spring-security
https://github.com/spring-projects/spring-security-oauth
4.2API 安全
API-aware Networking and Security using eBPF and XDP
https://github.com/cilium/cilium
二、基礎安全設備
圖三、基礎安全設備
1 、防火牆
1.1NG 防火牆
Netdeep Secure is a Linux distribution with focus on network security.
Is a Next Generation Open Source Firewall,
https://sourceforge.net/projects/nds/
1.2SOHO 防火牆
OPNsense is an open source, easy to use firewall and routing platform
https://sourceforge.net/projects/opnsense/
BrazilFW is a mini Linux distribution designed to be used as a Firewall and Router that runs easily on older computers.
https://sourceforge.net/projects/brazilfw/
The IPCop Firewall is a Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy.
https://sourceforge.net/projects/ipcop/
Smoothwall is a best-of-breed Internet firewall/router, designed to run on commodity hardware and to provide an easy-to-use administration interface to those using it. Built using open source and Free software, it's distributed under the GNU Public License.
https://sourceforge.net/projects/smoothwall/
An iptables based firewall for systems running the Linux 2.4 or later kernel. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.
https://sourceforge.net/projects/shorewall/
"TKMsense" an easy to use secure OpenBSD based firewall distribution.
https://sourceforge.net/projects/tkmsense/
1.3WEB 防火牆
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://sourceforge.net/projects/mod-security/
2 、安全網關
2.1 防垃圾郵件
Anti-Spam SMTP Proxy Server
https://sourceforge.net/projects/assp/
2.2雲安全網關
Falco is a open source project to detect abnormal application behavior in a cloud native environment like Kubernetes. This cloud native runtime security project allows you to detect unexpected application behavior and alerts on threats.
https://sourceforge.net/projects/falco.mirror/
2.3UTM 網關
Untangle is a Linux-based network gateway with pluggable modules for network applications like spam blocking, web filtering, anti-virus, anti-spyware, intrusion prevention, bandwidth control, captive portal, VPN, firewall, and more.
https://sourceforge.net/projects/untangle/
Endian Firewall Community (EFW) is a "turn-key" linux security distribution that makes your system a full featured security appliance with Unified Threat Management (UTM) functionalities. The software has been designed for the best usability: very easy to install, use and manage and still greatly flexible.
https://sourceforge.net/projects/efw/
3 、入侵檢測
Snort
It is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.
https://www.snort.org/
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
https://github.com/ossec/ossec-hids
3.1 網站防篡改
WebESC detects changes in your list of local or web files.
https://sourceforge.net/projects/webesc/
4 、抗DDOS攻擊
OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS).
https://opendds.org/
SNĒZ is a web interface to the popular open source IDS programs SNORT® and Suricata. IDS output can be unified2 or JSON formats.
https://sourceforge.net/projects/snez/
三、運營分析
圖四、運營分析
1 、資產管理
i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation:
https://sourceforge.net/projects/i-doit/
2 、數據源
2.1 網絡監控
Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
2.2 日志管理
Cyberoam iView; the Intelligent Logging & Reporting solution provides organizations network visibility across multiple devices to achieve higher levels of security, data confidentiality while meeting the requirements of regulatory compliance.
2.3 威脅情報
https://sourceforge.net/projects/cyberoam-iview/
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.
https://github.com/Neo23x0/sigma
3 、數據分析
3.1 流量分析
Flexible web-based firewall log analyzer, supporting netfilter and ipfilter, ipfw, ipchains, cisco routers and Windows XP system logs, and mysql or postgresql database logs using the iptables ULOG or NFLOG target of netfilter others mapped to the ulogd format with a view.
https://sourceforge.net/projects/webfwlog/
3.2 日志分析
3.3 訪問行為分析
AWStats is a free powerful and featureful server logfile analyzer that shows you all your Web/Mail/FTP statistics including visits, unique visitors, pages, hits, rush hours, os, browsers, search engines, keywords, robots visits, broken links and more
https://sourceforge.net/projects/awstats/
4 應用服務
4.1 管理前端
NagiosQL is a professional, web based configuration tool for Nagios 2.x/3.x/4.x. It is designed for large enterprise requirements as well as small environments. Any Nagios functionalities are supported.
https://sourceforge.net/projects/nagiosql/
4.3 取證分析
Xplico is a Network Forensic Analysis Tool (NFAT).
https://sourceforge.net/projects/xplico/、
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
https://sourceforge.net/projects/autopsy/
MantaRay Forensics
MantaRay is designed to automate processing forensic evidence with open source tools.
https://sourceforge.net/projects/mantarayforensics/
5 、威脅分析
5.1 病毒分析
The goal of this project is to build an add-on for browser that passively audits the security posture of the websites that the user is visiting. Assume that the tool is to be used on non-malicious websites, currently not under attack or compromised. Add-on wants to report security misconfigurations, or failure to use best security practices.
https://sourceforge.net/projects/web-security-audit/
Antivirus Live CD is an official 4MLinux fork including the ClamAV scanner. It's designed for users who need a lightweight live CD, which will help them to protect their computers against viruses.
https://sourceforge.net/projects/antiviruslivecd/
Cuckoo Sandbox uses components to monitor the behavior of malware in a Sandbox environment; isolated from the rest of the system. It offers automated analysis of any malicious file on Windows, Linux, macOS, and Android.
https://sourceforge.net/projects/cuckoosandbox.mirror/
5.2WEB 漏掃
Wapiti is a vulnerability scanner for web applications.
https://sourceforge.net/projects/wapiti/
web application attack and audit framework, the open source web vulnerability scanner.
https://github.com/andresriancho/w3af
一款完善的安全評估工具,支持常見 web 安全問題掃描和自定義 poc
https://github.com/chaitin/xray
Web Application Security Scanner Framework
https://github.com/Arachni/arachni
Next generation web scanner
https://github.com/urbanadventurer/WhatWeb
A PHP script designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked, based on the signatures of ClamAV and others.
https://sourceforge.net/projects/phpmussel/
5.3 網絡安全
Network Security Toolkit (NST) is a bootable ISO image (Live DVD/USB Flash Drive) based on Fedora 30 providing easy access to best-of-breed Open Source Network Security Applications and should run on most x86_64 systems.
https://sourceforge.net/projects/nst/
OSS Next Gen Network Management System (NG-NetMS)OPT
https://sourceforge.net/projects/ngnms/
openQRM is a web-based open source datacenter management and hybrid cloud computing platform that integrates flexibly with existing components in enterprise data centers.
https://sourceforge.net/projects/openqrm/
Netdisco is an SNMP-based L2/L3 network management tool designed for moderate to large networks. Routers and switches are polled to log IP and MAC addresses and map them to switch ports. Automatic L2 network topology discovery, display, and inventory.
https://sourceforge.net/projects/netdisco/
5.4 數據安全
Parrot Project
Security, Development and Privacy Defense, all in one place.
https://sourceforge.net/projects/parrotsecurity/
5.5 攻擊模擬
An open source Breach and Attack Simulation tool to evaluate the security posture of your network.
https://www.guardicore.com/infectionmonkey/
四、研發安全
圖五、研發安全
1、 代碼安全
1.1 源代碼審計
Source Code Security Audit (源代碼安全審計)
https://github.com/WhaleShark-Team/cobra
VCG is an automated code security review tool for C++, C#, VB, PHP, Java, PL/SQL and COBOL, which is intended to speed up the code review process by identifying bad/insecure code.
https://sourceforge.net/projects/visualcodegrepp/
Bandit is a tool designed to find common security issues in Python code.
https://github.com/PyCQA/bandit
scanner detecting the use of JavaScript libraries with known vulnerabilities
http://retirejs.github.io/retire.js/
https://github.com/securego/gosec
HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
https://html5sec.org/
2、 組件安全
2.1 依賴關系檢查
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://github.com/jeremylong/DependencyCheck
2.2 開源組件漏洞挖掘
OSS-Fuzz - continuous fuzzing of open source software.
https://github.com/google/oss-fuzz
WhiteSource Bolt for GitHub/Azure DevOps is a FREE app/extension, which scans all of your projects and detects vulnerable open source components.
https://sourceforge.net/projects/whitesource-bolt/
3、 接口安全
3.1 接口檢查
https://github.com/shieldfy/API-Security-Checklist/blob/master/README-zh.md
3.2 檢查列表
https://github.com/danielmiessler/SecLists
4、 集成安全
4.1 漏洞挖掘
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
https://github.com/aquasecurity/trivy
r
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://github.com/cloud-custodian/cloud-custodian
4.2 自動化滲透
Fully automated offensive security framework for reconnaissance and vulnerability scanning
https://j3ssie.github.io/Osmedeus/
4.3 審計檢查
InSpec: Auditing and Testing Framework
https://github.com/inspec/inspec
五、教育訓練
圖六、教育訓練
1 、WEB安全
Web Security Dojo is a virtual machine that provides the tools, targets, and documentation to learn and practice web application security testing.
https://sourceforge.net/projects/websecuritydojo/
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
https://owasp.org/www-project-juice-shop/
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
https://github.com/ethicalhack3r/DVWA
WEB安全學習
https://github.com/CHYbeta/Web-Security-Learning
2 、 APP 安全
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
https://github.com/OWASP/owasp-mstg
3 、安全加固
https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
4 、滲透測試
This is Metasploitable2 (Linux)
Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
https://sourceforge.net/projects/metasploitable/
六、滲透測試
圖七、滲透測試
1、 滲透測試
1 .1載荷攻擊
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
https://github.com/samratashok/nishang
1.2 滲透框架
面向中國信息安全白帽子人員的紅方滲透作戰操作系統,內容工具更適用於中國的環境,避免大而全精簡不常用的工具軟件,集成國內優秀的開源滲透工具幫助紅方人員更好的實施工作!
https://sourceforge.net/projects/taie-redteam-os/
We are excited to announce the availability of Blackhat-Global OS Lite. We’ve condensed the full Blackhat-Global experience into a streamlined operating system that’s fast, user-friendly, desktop-oriented operating system based. Which is available immediately for download.
https://sourceforge.net/projects/blackhat-global/
Automated pentest framework for offensive security experts
https://github.com/1N3/Sn1per
2 專項攻擊
2.1DDOS 攻擊
UFONet - is a toolkit designed to launch DDoS and DoS attacks.
https://sourceforge.net/projects/ufonet/
2.2釣魚攻擊
Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.
https://getgophish.com/
2.3 社會工程
Trape is an OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time.
https://github.com/jofpin/trape
七、辦公安全
圖八、辦公安全
1 、內網接入
OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port.
https://sourceforge.net/projects/openvpn/
2 、網絡准入
A network access control (NAC) system featuring a captive-portal for registration and remediation, wired and wireless management, 802.1X support, isolation of devices, integration with IDS; it can be used to secure networks from small to large.
https://sourceforge.net/projects/packetfence/
3 、密碼管理
Bitwarden is an easy-to-use and secure desktop vault for managing passwords and other sensitive data. It helps individuals and teams share, store and sync sensitive data, and create and secure passwords. All data is fully encrypted before it even leaves your device, with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.
https://sourceforge.net/projects/bitwarden.mirror/