企业安全公共能力开源化实现参考

 

通过开源项目实现企业安全，需要从办公域、业务域的安全需求开发，注重业务生命周期的研发、集成运维阶段的安全预防、检测、处置技术公共能力建设，通过管理运营平台，覆盖企业的信息化安全需求，具备攻击能力，实现以攻为守，通过sorceforge、github最近3年内比较活跃的评价较高的项目梳理，形成本文，供参考。

图一、开源项目分类全景图

一、安全能力公共组件

 

图二：安全公共能力组件

1         密码技术

1.1        CA 中心

EJBCA is an enterprise class PKI Certificate Authority built on JEE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other JEE applications.

https://sourceforge.net/projects/ejbca/

1.2        签名服务

The SignServer is an application for server side signatures called by other systems. It is flexible and can be customized to specific needs. 

https://sourceforge.net/projects/signserver/

2         身份

2.1 单点登录

Atricore’s JOSSO is an open source and commercially supported Internet Single Sign-On (FSSO) solution for point-and-click and standards-based (SAML2) Internet-scale SSO implementations.

https://sourceforge.net/projects/josso/

2 .2 身份管理

versatile identity management solution.

https://www.unity-idm.eu/

2.3 多因素认证

2.3.1    智能卡认证

 

Virtual Smart Card Architecture is an umbrella project for various projects concerned with the emulation of different types of smart card readers or smart cards themselves.

http://frankmorgner.github.io/vsmartcard/

2.3.2    指纹认证

SourceAFIS is a software library for human fingerprint recognition.

https://sourceforge.net/projects/sourceafis/

3         协议

3.1 可信计算

Integrity Measurement Architecture to know EXACTLY what has been run on your machine.

https://sourceforge.net/projects/linux-ima/

IBM's TPM 2.0 TSS

https://sourceforge.net/projects/ibmtpm20tss/

This is a user space TSS for TPM 2.0. It implements the functionality equivalent to (but not API compatible with) the TCG TSS working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a hopefully simpler interface.

Open Source Tripwire ^® is a security and data integrity tool for monitoring and alerting on file & directory changes. This project is based on code originally contributed by Tripwire, Inc. in 2000.

https://github.com/Tripwire/tripwire-open-source

 

3.2 数据协议

gsoap toolkit development toolkit for web services and xml data bindings for c&C++，The gSOAP toolkit is an extensive suite of portable C and C++ software to develop XML Web services with powerful type-safe XML data bindings. Easy-to-use code-generator tools allow you to directly integrate XML data in C and C++. Serializes native application data in XML. Includes WSDL/XSD schema binding and auto-coding tools, stub/skeleton compiler, Web server integration with Apache module and IIS extension, high-performance XML processing with schema validation, fast MIME/MTOM streaming, SOAP and REST Web API development, WS-* protocols (WS-Security, WS-Policy, WS-ReliableMessaging, etc), XML-RPC and JSON. Licensed under GPLv2.

https://sourceforge.net/projects/gsoap2/

4    应用

4.1 微服务安全

Istio is an open platform for connecting, securing, and managing microservices. It provides a uniform way of integrating microservices, managing traffic flow, enforcing policies and aggregating telemetry data. 

https://sourceforge.net/projects/istio.mirror/

https://github.com/spring-projects/spring-security

https://github.com/spring-projects/spring-security-oauth

 

4.2API 安全

API-aware Networking and Security using eBPF and XDP 

https://github.com/cilium/cilium

 

二、基础安全设备

图三、基础安全设备

1 、防火墙

1.1NG 防火墙

Netdeep Secure is a Linux distribution with focus on network security.
Is a Next Generation Open Source Firewall,

https://sourceforge.net/projects/nds/

1.2SOHO 防火墙

OPNsense is an open source, easy to use firewall and routing platform

https://sourceforge.net/projects/opnsense/

BrazilFW is a mini Linux distribution designed to be used as a Firewall and Router that runs easily on older computers.

https://sourceforge.net/projects/brazilfw/

 

The IPCop Firewall is a Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy.

https://sourceforge.net/projects/ipcop/

 

Smoothwall is a best-of-breed Internet firewall/router, designed to run on commodity hardware and to provide an easy-to-use administration interface to those using it. Built using open source and Free software, it's distributed under the GNU Public License.

https://sourceforge.net/projects/smoothwall/

 

An iptables based firewall for systems running the Linux 2.4 or later kernel. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.

https://sourceforge.net/projects/shorewall/

 

"TKMsense" an easy to use secure OpenBSD based firewall distribution. 

https://sourceforge.net/projects/tkmsense/

 

1.3WEB 防火墙

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://sourceforge.net/projects/mod-security/

 

2 、安全网关

2.1 防垃圾邮件

Anti-Spam SMTP Proxy Server

https://sourceforge.net/projects/assp/

2.2云安全网关

Falco is a open source project to detect abnormal application behavior in a cloud native environment like Kubernetes. This cloud native runtime security project allows you to detect unexpected application behavior and alerts on threats.

https://sourceforge.net/projects/falco.mirror/

2.3UTM 网关

Untangle is a Linux-based network gateway with pluggable modules for network applications like spam blocking, web filtering, anti-virus, anti-spyware, intrusion prevention, bandwidth control, captive portal, VPN, firewall, and more.

https://sourceforge.net/projects/untangle/

 

Endian Firewall Community (EFW) is a "turn-key" linux security distribution that makes your system a full featured security appliance with Unified Threat Management (UTM) functionalities. The software has been designed for the best usability: very easy to install, use and manage and still greatly flexible.

https://sourceforge.net/projects/efw/

3 、入侵检测

Snort

It is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

https://www.snort.org/

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

https://github.com/ossec/ossec-hids

3.1 网站防篡改

WebESC detects changes in your list of local or web files. 

https://sourceforge.net/projects/webesc/

 

 

4 、抗DDOS攻击

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS).

https://opendds.org/

 

SNĒZ is a web interface to the popular open source IDS programs SNORT® and Suricata. IDS output can be unified2 or JSON formats.

https://sourceforge.net/projects/snez/

 

 

三、运营分析

图四、运营分析

1 、资产管理

i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation:

https://sourceforge.net/projects/i-doit/

2 、数据源

2.1 网络监控

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. 

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

2.2 日志管理

Cyberoam iView; the Intelligent Logging & Reporting solution provides organizations network visibility across multiple devices to achieve higher levels of security, data confidentiality while meeting the requirements of regulatory compliance.

2.3 威胁情报

https://sourceforge.net/projects/cyberoam-iview/

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.

https://github.com/Neo23x0/sigma

3 、数据分析

3.1 流量分析

Flexible web-based firewall log analyzer, supporting netfilter and ipfilter, ipfw, ipchains, cisco routers and Windows XP system logs, and mysql or postgresql database logs using the iptables ULOG or NFLOG target of netfilter others mapped to the ulogd format with a view. 

https://sourceforge.net/projects/webfwlog/

3.2 日志分析

3.3 访问行为分析

AWStats is a free powerful and featureful server logfile analyzer that shows you all your Web/Mail/FTP statistics including visits, unique visitors, pages, hits, rush hours, os, browsers, search engines, keywords, robots visits, broken links and more

https://sourceforge.net/projects/awstats/

4 应用服务

4.1 管理前端

NagiosQL is a professional, web based configuration tool for Nagios 2.x/3.x/4.x. It is designed for large enterprise requirements as well as small environments. Any Nagios functionalities are supported.

https://sourceforge.net/projects/nagiosql/

4.3 取证分析

Xplico is a Network Forensic Analysis Tool (NFAT).

https://sourceforge.net/projects/xplico/、

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. 

https://sourceforge.net/projects/autopsy/

MantaRay Forensics

MantaRay is designed to automate processing forensic evidence with open source tools.

https://sourceforge.net/projects/mantarayforensics/

5 、威胁分析

5.1 病毒分析

The goal of this project is to build an add-on for browser that passively audits the security posture of the websites that the user is visiting. Assume that the tool is to be used on non-malicious websites, currently not under attack or compromised. Add-on wants to report security misconfigurations, or failure to use best security practices.

https://sourceforge.net/projects/web-security-audit/

Antivirus Live CD is an official 4MLinux fork including the ClamAV scanner. It's designed for users who need a lightweight live CD, which will help them to protect their computers against viruses. 

https://sourceforge.net/projects/antiviruslivecd/

Cuckoo Sandbox uses components to monitor the behavior of malware in a Sandbox environment; isolated from the rest of the system. It offers automated analysis of any malicious file on Windows, Linux, macOS, and Android.

https://sourceforge.net/projects/cuckoosandbox.mirror/

 

5.2WEB 漏扫

Wapiti is a vulnerability scanner for web applications.

https://sourceforge.net/projects/wapiti/

web application attack and audit framework, the open source web vulnerability scanner.

https://github.com/andresriancho/w3af

一款完善的安全评估工具，支持常见 web 安全问题扫描和自定义 poc 

https://github.com/chaitin/xray

Web Application Security Scanner Framework 

https://github.com/Arachni/arachni

Next generation web scanner

https://github.com/urbanadventurer/WhatWeb

A PHP script designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked, based on the signatures of ClamAV and others.

https://sourceforge.net/projects/phpmussel/

5.3 网络安全

Network Security Toolkit (NST) is a bootable ISO image (Live DVD/USB Flash Drive) based on Fedora 30 providing easy access to best-of-breed Open Source Network Security Applications and should run on most x86_64 systems.

https://sourceforge.net/projects/nst/

OSS Next Gen Network Management System (NG-NetMS)OPT

https://sourceforge.net/projects/ngnms/

openQRM is a web-based open source datacenter management and hybrid cloud computing platform that integrates flexibly with existing components in enterprise data centers.

https://sourceforge.net/projects/openqrm/

 

Netdisco is an SNMP-based L2/L3 network management tool designed for moderate to large networks. Routers and switches are polled to log IP and MAC addresses and map them to switch ports. Automatic L2 network topology discovery, display, and inventory.

https://sourceforge.net/projects/netdisco/

 

5.4 数据安全

Parrot Project

Security, Development and Privacy Defense, all in one place.

https://sourceforge.net/projects/parrotsecurity/

5.5 攻击模拟

An open source Breach and Attack Simulation tool to evaluate the security posture of your network.

https://www.guardicore.com/infectionmonkey/

 

 

四、研发安全

图五、研发安全

1、          代码安全

1.1 源代码审计

Source Code Security Audit (源代码安全审计)

https://github.com/WhaleShark-Team/cobra

VCG is an automated code security review tool for C++, C#, VB, PHP, Java, PL/SQL and COBOL, which is intended to speed up the code review process by identifying bad/insecure code.

https://sourceforge.net/projects/visualcodegrepp/

Bandit is a tool designed to find common security issues in Python code.

https://github.com/PyCQA/bandit

scanner detecting the use of JavaScript libraries with known vulnerabilities

 http://retirejs.github.io/retire.js/

https://github.com/securego/gosec

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors 

https://html5sec.org/

 

 

2、     组件安全

2.1 依赖关系检查

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://github.com/jeremylong/DependencyCheck

2.2 开源组件漏洞挖掘

OSS-Fuzz - continuous fuzzing of open source software. 

https://github.com/google/oss-fuzz

WhiteSource Bolt for GitHub/Azure DevOps is a FREE app/extension, which scans all of your projects and detects vulnerable open source components.

https://sourceforge.net/projects/whitesource-bolt/

 

3、    接口安全

3.1 接口检查

https://github.com/shieldfy/API-Security-Checklist/blob/master/README-zh.md

3.2 检查列表

https://github.com/danielmiessler/SecLists

4、     集成安全

4.1 漏洞挖掘

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

https://github.com/aquasecurity/trivy

r

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources 

https://github.com/cloud-custodian/cloud-custodian

 

4.2 自动化渗透

Fully automated offensive security framework for reconnaissance and vulnerability scanning

 https://j3ssie.github.io/Osmedeus/

4.3 审计检查

InSpec: Auditing and Testing Framework

https://github.com/inspec/inspec

 

五、教育训练

图六、教育训练

1 、WEB安全

Web Security Dojo is a virtual machine that provides the tools, targets, and documentation to learn and practice web application security testing.

https://sourceforge.net/projects/websecuritydojo/

 

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

https://owasp.org/www-project-juice-shop/

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.

https://github.com/ethicalhack3r/DVWA

WEB安全学习

https://github.com/CHYbeta/Web-Security-Learning

2 、 APP 安全

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering. 

https://github.com/OWASP/owasp-mstg

3 、安全加固

https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

4 、渗透测试

This is Metasploitable2 (Linux)

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

https://sourceforge.net/projects/metasploitable/

六、渗透测试

图七、渗透测试

1、     渗透测试

1 ．1载荷攻击

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

https://github.com/samratashok/nishang

1.2 渗透框架

面向中国信息安全白帽子人员的红方渗透作战操作系统，内容工具更适用于中国的环境，避免大而全精简不常用的工具软件，集成国内优秀的开源渗透工具帮助红方人员更好的实施工作！

https://sourceforge.net/projects/taie-redteam-os/

We are excited to announce the availability of Blackhat-Global OS Lite. We’ve condensed the full Blackhat-Global experience into a streamlined operating system that’s fast, user-friendly, desktop-oriented operating system based. Which is available immediately for download.

https://sourceforge.net/projects/blackhat-global/

Automated pentest framework for offensive security experts

https://github.com/1N3/Sn1per

2 专项攻击

2.1DDOS 攻击

UFONet - is a toolkit designed to launch DDoS and DoS attacks.

https://sourceforge.net/projects/ufonet/

2.2钓鱼攻击

Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

https://getgophish.com/

2.3 社会工程

Trape is an  OSINT analysis and research tool, which allows people to track and execute intelligent  social engineering attacks in real time. 

https://github.com/jofpin/trape

 

七、办公安全

 

图八、办公安全

1 、内网接入

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port.

https://sourceforge.net/projects/openvpn/

2 、网络准入

A network access control (NAC) system featuring a captive-portal for registration and remediation, wired and wireless management, 802.1X support, isolation of devices, integration with IDS; it can be used to secure networks from small to large.

https://sourceforge.net/projects/packetfence/

3 、密码管理

Bitwarden is an easy-to-use and secure desktop vault for managing passwords and other sensitive data. It helps individuals and teams share, store and sync sensitive data, and create and secure passwords. All data is fully encrypted before it even leaves your device, with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

https://sourceforge.net/projects/bitwarden.mirror/