19 open source GitHub projects for security pros

GitHub has a ton of open source options for security professionals, with new entries every day. Add these tools to your collection and work smarter

When it comes to performing ongoing maintenance, stomping out crises, or scoping new projects, most administrators either execute tasks manually or write a script to automate the process. But the really smart ones look for a capable tool to do the job.

With more than 800 security-focused projects, GitHub offers IT administrators and information security professionals a wealth of tools and frameworks for malware analysis, penetration testing, computer and network forensics, incident response, network monitoring, and a whole lot more.

Here are some of the most effective open source security projects that anyone charged with protecting their systems and networks should check out. We've grouped them by task for easy reference:

Penetration testing

When it comes to penetration testing, look no further than Rapid7's Metasploit Framework. With an extensive library of exploits, security professionals can use the exploit development and delivery system to assess the security of an application or network before attackers do.

The platform's versatility comes from its modular structure: Plug in the appropriate module and test computers, phones, routers, switches, industrial control systems, and embedded devices. Metasploit can run on a variety of platforms, including Windows, Linux, Mac, Android, and iOS.

Metasploit is comprehensive, but it pays to have other options in the penetration testing toolkit. Check out the Browser Exploitation Framework (BeEF), a penetration testing tool focusing on the Web browser. BeEF uses client-side attack vectors to assess an organization's vulnerability to Web-based attacks and how far the attacker can get in.

Mimikatz is a great postexploitation tool that lets penetration testers gain a firmer foothold on the Windows machine or network. Mimikatz is powerful, as it lets testers extract plain-text passwords, hashes, PIN codes, and Kerberos tickets from memory, impersonate user tokens, and export certificates and corresponding private keys stored on the compromised system. Mimikatz can be used as a stand-alone tool, but it is also included in Metasploit as a meterpreter script.

Defense-in-depth tools

CloudFlare's CFSSL is a "Swiss Army knife" for signing, verifying, and bundling TLS certificates. Both a command-line tool and an HTTP API server, CFSSL lets administrators build custom TLS/PKI tools and run a certificate authority that can use multiple signing keys. CFSSL also has a full-featured TLS endpoint scanner to test the server configuration against the latest vulnerabilities and transport package to handle certificate configuration and revocation.

Inadvertently exposing sensitive data such as keys and passwords is a common problem in software development. Gitrob helps security professionals scan their GitHub repositories for sensitive files. While GitHub has a built-in search function to uncover the information, Gitrob simplifies the process by compiling a list of all the organization's public repositories and member repositories. The tool iterates through the list and matches filenames against different patterns to find files containing sensitive information. Gitrob saves all the information to a PostgreSQL database and displays the search results in a simple Web application.

Lynis is a security auditing and hardening tool for Unix-based systems such as Linux, Mac OS X, BSD, and Solaris. Along with an in-depth security scan to detect issues on the system, vulnerable software packages, and configuration settings, Lynis makes recommendations on how to harden the system. Commonly used by blue teams, Lynis can be handy for security assessments, compliance testing, vulnerability detection, configuration management, and patch management.

The National Security Agency's Systems Integrity Management Platform (SIMP) lets security teams define and apply security policies and standards to networked systems. Organizations use the framework to meet security compliance requirements and automate operational tasks. SIMP, which requires the organization to purchase necessary Red Hat Enterprise Linux licenses, shows operations and security teams deviations in network behavior.

Network security monitoring

The Bro Network Security Monitor provides defenders with visibility into all the machines on a network, the ability to tap into network traffic and examine network packets, and analyzers to examine the application layer. Defenders use Bro's domain-specific scripting language to create site-specific monitoring policies. According to the project website, Bro is used heavily in scientific environments such as universities, research labs, and supercomputing centers.

OSSEC combines a host-based intrusion detection system with log monitoring and SIEM (security information and event management) capabilities for a range of platforms, including Linux, Mac OS, Solaris, AIX, and Windows. Security teams use OSSEC for log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerts, and active response. Organizations can meet compliance requirements by configuring OSSEC to send alerts about unauthorized file system modifications and malicious behavior embedded in the software logs.

Moloch is a large-scale, full-packet-capturing indexing and database system that helps security teams with incident handling, network security monitoring, and digital forensics. Moloch complements existing intrusion detection systems by providing administrators with a way to browse, search, and export all captured network traffic. The system consists of a single-threaded C application to capture traffic data, a Node.js application to handle the user interface, and an Elasticsearch database.

Incident response and forensics

The Mozilla Defense Platform (MozDef) automates incident handling by giving defenders a platform where they can monitor, react to, and collaborate on security incidents in real time. MozDef uses Elasticsearch, Meteor, and MongoDB to expand traditional SIEM capabilities with incident response and visualizations. MozDef is a mature platform currently in use at Mozilla.

OS X Auditor parses and hashes kernel extensions, system agents and daemons, third-party agents, downloaded files, and installed applications on a running system (or a copy). The forensics tool extracts user information such as quarantined files, browser history and cookies, file downloads, LastSession, HTML5 databases and localstore, login data, social and email accounts, and saved wireless connections. OS X Auditor verifies the reputation of each file against multiple sources as part of a forensics investigation.

Tailored for Microsoft and Unix systems, Sleuth Kit lets investigators identify and recover evidence from live systems, as well as images created as part of incident response. Investigators can analyze file contents, automate specific procedures, and perform MD5 image integrity checks. The kit is more of a library and collection of command-line tools, and investigators should use Autopsy -- the graphical interface for Sleuth Kit -- to access the tools. 

GRR Rapid Response is an incident response framework focused on remote live forensics for Linux, OS X, and Windows clients. Investigators install the Python agent on target systems for live remote memory analysis, to collect digital forensics artifacts, and perform detailed systems monitoring for CPU, memory, and I/O usage. GRR also uses SleuthKit to give investigators raw file system access.

Research tools and vulnerability scanners

The Radare project is a Unix-like reverse engineering framework and command-line tool for Android, Linux, BSD, iOS, OS X, Solaris, Haiku, FirefoxOS, and QNX, as well as both 32- and 64-bit Windows. The project started as a forensics tool and a scriptable command-line hexadecimal editor, but has since added libraries and tools for analyzing binaries, disassembling code, debugging programs, and attaching to remote gdb servers. Radare supports a broad range of architectures -- Intel-based, ARM, Sparc, and PowerPC, to name a few.

Brakeman is a vulnerability scanner for Ruby on Rails apps that lets infosec pros analyze data flow from one part of the application to another. Brakeman helps administrators uncover problems in Web applications such as SQL injection, SSL verification bypass, and information disclosure vulnerabilities. Brakeman should be used with a website security scanner.

Quick Android Review Kit (Qark) looks for security vulnerabilities in Android applications, either in the source code or packaged APKs. The tool looks for issues such as inadvertently exported components, improper x.509 certificate validation, data leakage, private keys embedded in the source code, weak or improperly used cryptography, and tap-jacking, to name a few. Qark provides information about the nature of security vulnerabilities found, as well as the ability to create proof-of-concept APKs that could exploit them.

For malware analysis, there's Cuckoo Sandbox, an automated dynamic malware analysis system that originated in 2010 as a Google Summer of Code project. Cuckoo lets security teams detonate suspicious files and monitor the resulting behavior in an isolated virtual environment. Cuckoo dumps the memory and analyzes the data -- such as tracing API calls and logging all files created and deleted -- to determine exactly what a suspicious file is doing on the system.

Jupyter is not a security-specific project, but the shareable notebooks are a must-have for any security toolkit. Security professionals can share live code, visualizations, and explanatory text with individual notebooks, which come with an embedded shell. There are additional tools to enhance the project, including Jupyterhub, a multiuser server, a diff tool, a Docker stack, and an OAuth package.

Copyright © 2016 IDG Communications, Inc.