DevOpsCon – about Security

Security

  • Security needs to be enabler, not restrict but enable things to be done in secure way
  • Principles over rules
  • Security people needs to part of the understanding of teams mission
  • Someone need to wear a security hat
  • What are the threads for us? What do I care about, who is likely to attack the system, is it gonna be insiders? Educate the whole team
  • Build Attack trees
  • Build Automatic Penetraion testing

Opensource Penetration testing tools

  • Arachni is a Free/Public-Source Web Application Security Scanner aimed towards helping users evaluate the security of web applications.
  • Canarytokens are a simple way to tripwire things. An old concept, they can be super useful (and are trivial to use)
  • BeEF is a security tool, allowing a penetration tester or system administrator additional attack vectors when assessing the posture of a target.
  • The Open Web Application Security Project (OWASP) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
  • Lynis is the most used auditing tool for Linux, Unix and macOS systems. It helps you run security scans in just a few minutes and guide with system hardening.
  • OSSEC watches it all, actively monitoring all aspects of Unix system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring
  • Nagios, now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
  • Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
  • Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website.
  • John the Ripper password cracker – is designed to be both feature-rich and fast. It combines several cracking modes in one program and is fully configurable for your particular needs

Paid or free solution

  1. Use paid solution
    • Use it and strip down to what you really need
      + ready to go
      + sort of giving away responsibility
      – costly
      – might be more/else than you need
      – not opensource
  2. Use free solution
    • Use opensource tools and build your own testing
    • If you find out you need more, you have a good input for company providing the paid solution
      + free and opensource
      + your control
      + some of it can be implemented immediately
      – might take time to put right complete solution in place