Building your security stack with OpenSource

Building your security stack with OpenSource

ROUND 2: THE REAL LIFE

DISCLAIMER

All expressed opinions are my own and do not express nor represent my employer or any other organization I am affiliated with.

Author

Héctor Eryx Paredes Camacho

Security Engineer with plenty of Software Engineering background focused on Application Security.
Cybersecurity professor.
Security and open source enthusiast.

TL; DR -> what you should get

# Answer this 3 questions for your cyber security program - Why - What​ - How
What 
Why
How
You are in danger
Protect your data
Secure software
What
Why
How
Piece by piece
Composed Security Architecture
Multiple digital
assets
What
Why
How
Build a
security
stack
No single
solution
4 everything
Cherry-picking and plumbing
https://twitter.com/jakeclarkdude/status/689141113584619524?lang=en
Security Architecture 101 - old school
DMZ
Intranet
Security Architecture 101
Huxham Security Framework[1]
Gartner Adaptive Security[2]
[2]https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization
[1]https://en.wikipedia.org/wiki/Enterprise_information_security_architecture
CNCF Project Harbor[3]
[3]https://www.cncf.io/blog/2018/07/31/cncf-to-host-harbor-in-the-sandbox/

Open Source @ Lyft

How we contribute and foster opensource

Our Projects

## Envoy _Envoy is an open source edge and service proxy, designed for cloud-native applications_ | Stack | Language | Stars | | Infrastructure | C++ | ★1650 | ## Cartography _Explore assets and their relationships across your technical infrastructure._ | Stack | Language | Stars | | Security Intelligence | Python | ★2065 | ## Confidant _Confidant is a open source secret management service that provides user-friendly storage and access to secrets in a secure way, from the developers at Lyft_ | Stack | Language | Stars | | Security | Python, JS | ★1650 | ## RateLimit _Go/gRPC service designed to enable generic rate limit scenarios from different types of applications._ | Stack | Language | Stars | | Infrastructure | Go | ★1325 | ## Clutch _An extensible platform for infrastructure management_ | Stack | Language | Stars | | Infrastructure| Go, Typescript | ★1201| ## MetaDataProxy _A proxy for AWS's metadata service that gives out scoped IAM credentials from Security Token Service_ | Stack | Language | Stars | | Infrastructure| Python | ★427 |

External projects (forks)

* Apache Spark * Apache Airflow * Apache Beam * Atlantis * Kubernetes * Salt * Protobuf * Grafana _large etc, etc_

External projects (as users)

### Trivy Containers vulnerability scanner by Aqua Security (https://github.com/aquasecurity/trivy) ### Clair Containers vulnerability scanner by Quay (https://github.com/quay/clair) ### Semgrep Static analysis tools for finding bugs and enforcing code standars (https://github.com/returntocorp/semgrep) ### Gitlab-semgrep Wrapper from Gitlab to run semgrep (https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) ### Compliance As Code (OpenSCAP ) Set of tools to analyze standard security policies on Linux systems (https://github.com/ComplianceAsCode/content) ### osquery Framework to expose operating system information via SQL tables (https://github.com/osquery/osquery) ### Open Policy Agent General-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack (https://github.com/open-policy-agent/opa)

Cartography : A map to your infra security

Contributing to Open Source Security Projects

Quick guide on how to start

Choose wisely young Padawan

Explore
Identify
Use
Engage
Commit
# Sample Projects * [Trivy issues](https://github.com/aquasecurity/trivy/issues) * [Cartography issues](https://github.com/lyft/cartography/issues)
# Types of contributions * Documentation * Report issues * Fix issues * Propose new features * Engage with the community
Sample Security Architecture 

Back to the What - How - Why

Answer this 3 questions <br>What -> Build a more secure & more open world <br>How -> Integrating transparent tools and proven standards <br>Why -> Because information security and privacy is everybody's responsibility, and working jointly we can better protect ourselves

Thank you!