企业安全公共能力开源化实现参考

标签: dev | 发表时间:2020-04-24 00:00 | 作者:
出处:http://itindex.net/relian

 



通过开源项目实现企业安全,需要从办公域、业务域的安全需求开发,注重业务生命周期的研发、集成运维阶段的安全预防、检测、处置技术公共能力建设,通过管理运营平台,覆盖企业的信息化安全需求,具备攻击能力,实现以攻为守,通过sorceforge、github最近3年内比较活跃的评价较高的项目梳理,形成本文,供参考。

图一、开源项目分类全景图

一、安全能力公共组件

 

图二:安全公共能力组件

1         密码技术

1.1        CA 中心

EJBCA is an enterprise class PKI Certificate Authority built on JEE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other JEE applications.

https://sourceforge.net/projects/ejbca/

1.2        签名服务

The SignServer is an application for server side signatures called by other systems. It is flexible and can be customized to specific needs. 

https://sourceforge.net/projects/signserver/

2         身份

2.1 单点登录

Atricore’s JOSSO is an open source and commercially supported Internet Single Sign-On (FSSO) solution for point-and-click and standards-based (SAML2) Internet-scale SSO implementations.

https://sourceforge.net/projects/josso/

2 .2 身份管理

versatile identity management solution.

https://www.unity-idm.eu/

2.3 多因素认证

2.3.1    智能卡认证

 

Virtual Smart Card Architecture is an umbrella project for various projects concerned with the emulation of different types of smart card readers or smart cards themselves.

http://frankmorgner.github.io/vsmartcard/

2.3.2    指纹认证

SourceAFIS is a software library for human fingerprint recognition.

https://sourceforge.net/projects/sourceafis/

3         协议

3.1 可信计算

Integrity Measurement Architecture to know EXACTLY what has been run on your machine.

https://sourceforge.net/projects/linux-ima/

IBM's TPM 2.0 TSS

https://sourceforge.net/projects/ibmtpm20tss/

This is a user space TSS for TPM 2.0. It implements the functionality equivalent to (but not API compatible with) the TCG TSS working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a hopefully simpler interface.

Open Source Tripwire ® is a security and data integrity tool for monitoring and alerting on file & directory changes. This project is based on code originally contributed by Tripwire, Inc. in 2000.

https://github.com/Tripwire/tripwire-open-source

 

3.2 数据协议

gsoap toolkit development toolkit for web services and xml data bindings for c&C++,The gSOAP toolkit is an extensive suite of portable C and C++ software to develop XML Web services with powerful type-safe XML data bindings. Easy-to-use code-generator tools allow you to directly integrate XML data in C and C++. Serializes native application data in XML. Includes WSDL/XSD schema binding and auto-coding tools, stub/skeleton compiler, Web server integration with Apache module and IIS extension, high-performance XML processing with schema validation, fast MIME/MTOM streaming, SOAP and REST Web API development, WS-* protocols (WS-Security, WS-Policy, WS-ReliableMessaging, etc), XML-RPC and JSON. Licensed under GPLv2.

https://sourceforge.net/projects/gsoap2/

4    应用

4.1 微服务安全

Istio is an open platform for connecting, securing, and managing microservices. It provides a uniform way of integrating microservices, managing traffic flow, enforcing policies and aggregating telemetry data. 

https://sourceforge.net/projects/istio.mirror/

https://github.com/spring-projects/spring-security

https://github.com/spring-projects/spring-security-oauth

 

4.2API 安全

API-aware Networking and Security using eBPF and XDP 

https://github.com/cilium/cilium

 

二、基础安全设备

图三、基础安全设备

1 、防火墙

1.1NG 防火墙

Netdeep Secure is a Linux distribution with focus on network security.
Is a Next Generation Open Source Firewall,

https://sourceforge.net/projects/nds/

1.2SOHO 防火墙

OPNsense is an open source, easy to use firewall and routing platform

https://sourceforge.net/projects/opnsense/

BrazilFW is a mini Linux distribution designed to be used as a Firewall and Router that runs easily on older computers.

https://sourceforge.net/projects/brazilfw/

 

The IPCop Firewall is a Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy.

https://sourceforge.net/projects/ipcop/

 

Smoothwall is a best-of-breed Internet firewall/router, designed to run on commodity hardware and to provide an easy-to-use administration interface to those using it. Built using open source and Free software, it's distributed under the GNU Public License.

https://sourceforge.net/projects/smoothwall/

 

An iptables based firewall for systems running the Linux 2.4 or later kernel. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.

https://sourceforge.net/projects/shorewall/

 

"TKMsense" an easy to use secure OpenBSD based firewall distribution. 

https://sourceforge.net/projects/tkmsense/

 

1.3WEB 防火墙

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://sourceforge.net/projects/mod-security/

 

2 、安全网关

2.1 防垃圾邮件

Anti-Spam SMTP Proxy Server

https://sourceforge.net/projects/assp/

2.2云安全网关

Falco is a open source project to detect abnormal application behavior in a cloud native environment like Kubernetes. This cloud native runtime security project allows you to detect unexpected application behavior and alerts on threats.

https://sourceforge.net/projects/falco.mirror/

2.3UTM 网关

Untangle is a Linux-based network gateway with pluggable modules for network applications like spam blocking, web filtering, anti-virus, anti-spyware, intrusion prevention, bandwidth control, captive portal, VPN, firewall, and more.

https://sourceforge.net/projects/untangle/

 

Endian Firewall Community (EFW) is a "turn-key" linux security distribution that makes your system a full featured security appliance with Unified Threat Management (UTM) functionalities. The software has been designed for the best usability: very easy to install, use and manage and still greatly flexible.

https://sourceforge.net/projects/efw/

3 、入侵检测

Snort

It is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

https://www.snort.org/

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

https://github.com/ossec/ossec-hids

3.1 网站防篡改

WebESC detects changes in your list of local or web files. 

https://sourceforge.net/projects/webesc/

 

 

4 、抗DDOS攻击

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS).

https://opendds.org/

 

SNĒZ is a web interface to the popular open source IDS programs SNORT® and Suricata. IDS output can be unified2 or JSON formats.

https://sourceforge.net/projects/snez/

 

 

三、运营分析

图四、运营分析

1 、资产管理

i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation:

https://sourceforge.net/projects/i-doit/

2 、数据源

2.1 网络监控

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. 

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

2.2 日志管理

Cyberoam iView; the Intelligent Logging & Reporting solution provides organizations network visibility across multiple devices to achieve higher levels of security, data confidentiality while meeting the requirements of regulatory compliance.

2.3 威胁情报

https://sourceforge.net/projects/cyberoam-iview/

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.

https://github.com/Neo23x0/sigma

3 、数据分析

3.1 流量分析

Flexible web-based firewall log analyzer, supporting netfilter and ipfilter, ipfw, ipchains, cisco routers and Windows XP system logs, and mysql or postgresql database logs using the iptables ULOG or NFLOG target of netfilter others mapped to the ulogd format with a view. 

https://sourceforge.net/projects/webfwlog/

3.2 日志分析

3.3 访问行为分析

AWStats is a free powerful and featureful server logfile analyzer that shows you all your Web/Mail/FTP statistics including visits, unique visitors, pages, hits, rush hours, os, browsers, search engines, keywords, robots visits, broken links and more

https://sourceforge.net/projects/awstats/

4 应用服务

4.1 管理前端

NagiosQL is a professional, web based configuration tool for Nagios 2.x/3.x/4.x. It is designed for large enterprise requirements as well as small environments. Any Nagios functionalities are supported.

https://sourceforge.net/projects/nagiosql/

4.3 取证分析

Xplico is a Network Forensic Analysis Tool (NFAT).

https://sourceforge.net/projects/xplico/、

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. 

https://sourceforge.net/projects/autopsy/

MantaRay Forensics

MantaRay is designed to automate processing forensic evidence with open source tools.

https://sourceforge.net/projects/mantarayforensics/

5 、威胁分析

5.1 病毒分析

The goal of this project is to build an add-on for browser that passively audits the security posture of the websites that the user is visiting. Assume that the tool is to be used on non-malicious websites, currently not under attack or compromised. Add-on wants to report security misconfigurations, or failure to use best security practices.

https://sourceforge.net/projects/web-security-audit/

Antivirus Live CD is an official 4MLinux fork including the ClamAV scanner. It's designed for users who need a lightweight live CD, which will help them to protect their computers against viruses. 

https://sourceforge.net/projects/antiviruslivecd/

Cuckoo Sandbox uses components to monitor the behavior of malware in a Sandbox environment; isolated from the rest of the system. It offers automated analysis of any malicious file on Windows, Linux, macOS, and Android.

https://sourceforge.net/projects/cuckoosandbox.mirror/

 

5.2WEB 漏扫

Wapiti is a vulnerability scanner for web applications.

https://sourceforge.net/projects/wapiti/

web application attack and audit framework, the open source web vulnerability scanner.

https://github.com/andresriancho/w3af

一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc 

https://github.com/chaitin/xray

Web Application Security Scanner Framework 

https://github.com/Arachni/arachni

Next generation web scanner

https://github.com/urbanadventurer/WhatWeb

A PHP script designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked, based on the signatures of ClamAV and others.

https://sourceforge.net/projects/phpmussel/

5.3 网络安全

Network Security Toolkit (NST) is a bootable ISO image (Live DVD/USB Flash Drive) based on Fedora 30 providing easy access to best-of-breed Open Source Network Security Applications and should run on most x86_64 systems.

https://sourceforge.net/projects/nst/

OSS Next Gen Network Management System (NG-NetMS)OPT

https://sourceforge.net/projects/ngnms/

openQRM is a web-based open source datacenter management and hybrid cloud computing platform that integrates flexibly with existing components in enterprise data centers.

https://sourceforge.net/projects/openqrm/

 

Netdisco is an SNMP-based L2/L3 network management tool designed for moderate to large networks. Routers and switches are polled to log IP and MAC addresses and map them to switch ports. Automatic L2 network topology discovery, display, and inventory.

https://sourceforge.net/projects/netdisco/

 

5.4 数据安全

Parrot Project

Security, Development and Privacy Defense, all in one place.

https://sourceforge.net/projects/parrotsecurity/

5.5 攻击模拟

An open source Breach and Attack Simulation tool to evaluate the security posture of your network.

https://www.guardicore.com/infectionmonkey/

 

 

四、研发安全

图五、研发安全

1、          代码安全

1.1 源代码审计

Source Code Security Audit (源代码安全审计)

https://github.com/WhaleShark-Team/cobra

VCG is an automated code security review tool for C++, C#, VB, PHP, Java, PL/SQL and COBOL, which is intended to speed up the code review process by identifying bad/insecure code.

https://sourceforge.net/projects/visualcodegrepp/

Bandit is a tool designed to find common security issues in Python code.

https://github.com/PyCQA/bandit

scanner detecting the use of JavaScript libraries with known vulnerabilities

 http://retirejs.github.io/retire.js/

https://github.com/securego/gosec

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors 

https://html5sec.org/

 

 

2、     组件安全

2.1 依赖关系检查

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://github.com/jeremylong/DependencyCheck

2.2 开源组件漏洞挖掘

OSS-Fuzz - continuous fuzzing of open source software. 

https://github.com/google/oss-fuzz

WhiteSource Bolt for GitHub/Azure DevOps is a FREE app/extension, which scans all of your projects and detects vulnerable open source components.

https://sourceforge.net/projects/whitesource-bolt/

 

3、    接口安全

3.1 接口检查

https://github.com/shieldfy/API-Security-Checklist/blob/master/README-zh.md

3.2 检查列表

https://github.com/danielmiessler/SecLists

4、     集成安全

4.1 漏洞挖掘

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

https://github.com/aquasecurity/trivy

r

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources 

https://github.com/cloud-custodian/cloud-custodian

 

4.2 自动化渗透

Fully automated offensive security framework for reconnaissance and vulnerability scanning

 https://j3ssie.github.io/Osmedeus/

4.3 审计检查

InSpec: Auditing and Testing Framework

https://github.com/inspec/inspec

 

五、教育训练

图六、教育训练

1 、WEB安全

Web Security Dojo is a virtual machine that provides the tools, targets, and documentation to learn and practice web application security testing.

https://sourceforge.net/projects/websecuritydojo/

 

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

https://owasp.org/www-project-juice-shop/

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.

https://github.com/ethicalhack3r/DVWA

WEB安全学习

https://github.com/CHYbeta/Web-Security-Learning

2 APP 安全

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering. 

https://github.com/OWASP/owasp-mstg

3 、安全加固

https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

4 、渗透测试

This is Metasploitable2 (Linux)

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

https://sourceforge.net/projects/metasploitable/

六、渗透测试


图七、渗透测试

1、     渗透测试

1 .1载荷攻击

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

https://github.com/samratashok/nishang

1.2 渗透框架

面向中国信息安全白帽子人员的红方渗透作战操作系统,内容工具更适用于中国的环境,避免大而全精简不常用的工具软件,集成国内优秀的开源渗透工具帮助红方人员更好的实施工作!

https://sourceforge.net/projects/taie-redteam-os/

We are excited to announce the availability of Blackhat-Global OS Lite. We’ve condensed the full Blackhat-Global experience into a streamlined operating system that’s fast, user-friendly, desktop-oriented operating system based. Which is available immediately for download.

https://sourceforge.net/projects/blackhat-global/

Automated pentest framework for offensive security experts

https://github.com/1N3/Sn1per

2 专项攻击

2.1DDOS 攻击

UFONet - is a toolkit designed to launch DDoS and DoS attacks.

https://sourceforge.net/projects/ufonet/

2.2钓鱼攻击

Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

https://getgophish.com/

2.3 社会工程

Trape is an  OSINT analysis and research tool, which allows people to track and execute intelligent  social engineering attacks in real time. 

https://github.com/jofpin/trape

 

七、办公安全

 

图八、办公安全

1 、内网接入

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port.

https://sourceforge.net/projects/openvpn/

2 、网络准入

A network access control (NAC) system featuring a captive-portal for registration and remediation, wired and wireless management, 802.1X support, isolation of devices, integration with IDS; it can be used to secure networks from small to large.

https://sourceforge.net/projects/packetfence/

3 、密码管理

Bitwarden is an easy-to-use and secure desktop vault for managing passwords and other sensitive data. It helps individuals and teams share, store and sync sensitive data, and create and secure passwords. All data is fully encrypted before it even leaves your device, with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

https://sourceforge.net/projects/bitwarden.mirror/

 

 


相关 [企业 安全 开源] 推荐:

企业安全公共能力开源化实现参考

- - IT瘾-dev
通过开源项目实现企业安全,需要从办公域、业务域的安全需求开发,注重业务生命周期的研发、集成运维阶段的安全预防、检测、处置技术公共能力建设,通过管理运营平台,覆盖企业的信息化安全需求,具备攻击能力,实现以攻为守,通过sorceforge、github最近3年内比较活跃的评价较高的项目梳理,形成本文,供参考.

10款中小企业必备的开源免费安全工具

- - IT瘾-tuicool
很多企业特别是一些中小型企业在日常生产中,时常会因为时间、预算、人员配比等问题,而大大减少或降低在安全方面的投入. 这时候,一些好的免费开源安全工具,无疑成为了这些企业降低成本的首选. 下面,我将为大家推荐十款不错的免费开源安全工具. Nmap(Network Mapper)是一款免费开源的安全扫描工具,主要用于端口扫描、网络探测等.

安全运营:弱口令,企业安全的坟墓

- - Seay's blog 网络安全博客
   从今年起一直在关注企业安全,包括一些运维安全、开发安全以及企业安全运营,这会是我以后的方向. 我一直回避“黑客”这个词,也从来不把这两个字说到自己身上,虽然现在的工作很大一部分是授权入侵各种大小企业,尝试拿到最敏感的数据,我入侵过无数大大小小的企业内网,甚至一些巨型上市企业,可以把渗透做的非常细.

8个网络安全开源框架

- - HTML5资源教程
能帮助构建、操作安全系统的开源项目多到数不清,尤其是随着对工具的安全监控和事件反应的要求不断加强的情况下,开源安全软件不得不提高自己的性能. 下面为你介绍10款开源的安全软件. Bro 是一款很强大的框架,用于网络分析和安全监控,它和常见的IDS有所不同. 与通用的网络传输分析工具相比它侧重于网络安全监控和提供一个完整的平台化工具.

渗透测试:我的企业安全经验之账号安全

- - Seay's blog 网络安全博客
安全管理要想真正做好真不容易,主要是看高层和业务方的支持. 我专门针对密码安全这块做过一些研究,也根据自己的一些经验,最终是产出了一些密码和用户名字典,有手写了上千个,也有根据自己写的词根来生成一些,当然只是普性字典,还有一个专门针对的企业员工信息安全的大数据平台(大杀器)正在研发,我们要把经验做成自动化来玩.

对企业而言Mac安全性低于Windows

- Aaron Woo - Solidot
在Black Hat大会上,研究人员指出苹果电脑的DHX认证方法存在安全漏洞,可以在数分钟内入侵局域网中的其它苹果Mac电脑. 安全公司iSec的CTO Alex Stamos表示,Mac电脑对个人使用来说是足够安全,但当和其他电脑联在局域网内后,它的安全性就降低了.

企业禁止BYOPC的主要原因是安全风险

- - cnBeta.COM
根据一项调查显示,出于安全方面的考虑,86%的公司禁止员工使用自己的电脑(BYOPC)进行工作. 为了解决这些担忧,1E推出了其新的MyWorkNow解决方案,即客户托管的虚拟桌面(CHVD),让员工以快速,低成本的方式使用自己的电脑进行工作. 虚拟桌面运行在本地主机上,并通过企业的选择桌面管理架构进行配置,比如微软的系统中心配置管理器(SCCM),MyWorkNow无需额外的硬件和中央基础设施.

从 Google 白皮书看企业安全最佳实践

- - IT瘾-dev
前不久Google发布了一份安全方面的白皮书. Google Infrastructure Security Design Overview,直译的版本可以参考“网路冷眼”这版《 Google基础设施安全设计概述》,直译+点评的版本可以参考“职业欠钱”的《 Google基础设施安全设计概述翻译和导读》.

互联网企业数据安全体系建设

- - 美团点评技术团队
Facebook数据泄露事件一度成为互联网行业的焦点,几百亿美元市值瞬间蒸发,这个代价足以在地球上养活一支绝对庞大的安全团队,甚至可以直接收购几家规模比较大的安全公司了. 虽然媒体上发表了很多谴责的言论,但实事求是地讲,Facebook面临是一个业界难题,任何一家千亿美元的互联网公司面对这种问题,可能都没有太大的抵抗力,仅仅是因为全球区域的法律和国情不同,暂时不被顶上舆论的浪尖罢了.

企业安全建设与态势感知

- - FreeBuf互联网安全新媒体平台
*全文为萧观澜本人工作经验总结,FreeBuf仅做整理,无任何修饰或故事化,原味呈现最真实的企业安全人心声. 萧观澜,现任华为终端云服务principal engineer,负责华为终端云服务全线业务的网络安全. 安全在今天越来越受重视,各类企事业单位也不断加大安全投入,很多度过了安全建设初级阶段(被动防御)的安全团队开始做态势感知.