Context: As Frappe, when we were implementing ISO 27000, we looked at various FOSS options for things like: anti-virus, end-point security, security operations center (SOC) etc and did not find many options. ClamAV seems to be the best FOSS anti-virus around and we found nothing interesting for end-point security and overall control center.
This also came up in a recent conversation with a few senior folks in academia and gov. Would love to know from security experts, what is the state of security apps for FOSS. What are the frameworks, tools for both attack and defense in the space.
Apart from clamav and a few rootkit scanners, I don’t think there are any other meaningful antivirus tools in the Linux world. That’s telling of the Linux security model.
In networking, app deployments, containers, cloud etc. there are numerous great things happening. Eg: “Zero-trust” networking and authentication systems, VPNs, eBPF for network security and monitoring, firewalls. In the security tools space, there are things like Kali Linux, and a host of other pentesting and networking tools.
There will be a lot of detailing in ISO 27001 which is focused around windows such as ensure antivirus is enabled there are two way to approach it.
conform to the ISO 27001 in spirit. : example why antivirus was needed justify and sort it even if you dont install it you can justify.
conform to ISO 27001 in words : install whatever is available and be done with it.
That being said Let me come to your original question around whats the state on offense and defense tooling. most offensive tooling is open in public coz thats how they growth happened and people were able to move forward. but defense was the area which always paid so people keep things closer to chest hence less of opensource tooling around that area IMHO.
Another tool I’ll add to the list shared by Anant,
Shuffle
It’s an open source security automation platform which you can use in conjunction with other security tools to build automated playbooks for activities such as incident response or analysis.
The thing with having so many libraries and tools is it might leave a tech team very unguided after looking at all the solutions.
IMO this is similar to the observability stack because there are so many open source observability tools and you might be unsure on what to go for.
What I have found to help myself is a lot of observability-in-a-box docker compose setup on GitHub which combine many services together and have everything you might need to begin and experiment with.
Similarly, I feel a SOC-in-a-box setup would be a great guide or starting point for tech teams to set up great security operations with open source tools.
Thanks @anant_shrivastava for the comprehensive list! Will be great if you could help classify these projects based on the types of assets they protect or the kind of features they bring to the table.
Namaste
We are new here www.sssgrameen.in / call me Sri.
We started working on this initiatives few years ago (pre-Corona days) only because security had to remain neutral from National security pov…and also to provide a neutral advice to clients (away from hype madness)…
also because we need to return to industry/stakeholders collectively
either as CERT kind or EFF kind globally or dark web Snowden kind…we had seen the kind of risks at national or international level …
but we also saw beautiful startups evolve like Palantir or others…based on FOSS stack
I will list some from our experience and also our plan to build a FOSS SOC …its work in progress though
from a client pov…they need ISO neutral standards,…industry specific regulation and country norms…besides offering neutral security…(no back door or no agenda…like say Fireeye TI does not cover risks to foreign govt considered enemy to US…so any using their tools is left naked with honey on ;-))
later as you move to tech stack or COTS it is a different story altogether…need to work with OEM Architects to get it right
notes
text roles - appsec
sssihl presentation on risk ecosystem
eBhadra–opensource SOC moving to mobile and later to OT (and later application/context aware like normal app vs SAP ERP/CERNER HIS or Dell HCI vs Openshift)
client FOSS deck for total sec as they are FOSS based
i am sure many across the world have made progress…we were looking at India specific threat stack and securing Digital India (where aadhaar, mobile and internet are in everyones bedroom and part of corporate/political arsenal)
