├── CONTRIBUTING.md
├── Getting Started with Security Settings.go
├── README.md
└── Security Glossary.md
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guidelines
2 |
3 | **Make sure your pull request follows these guidelines:**
4 |
5 | - Search through the previous pull requests before making a new one!
6 | - Adding new categories, or improving existing categories is welcome!
7 | - Make sure you've personally used or benefited from the suggested resource.
8 | - Make an individual pull request for each suggestion.
9 | - Use the following format: `[Resource Title](url link) — description.`
10 | - Expand on why the resource is useful in your pull request if needed.
11 | - Keep descriptions short and simple, but descriptive.
12 | - Please double check your spelling and grammar.
13 |
14 | **Thanks for contributing to this Project!**
15 |
--------------------------------------------------------------------------------
/Getting Started with Security Settings.go:
--------------------------------------------------------------------------------
1 | Code samples & snippets coming soon!
2 |
3 | // Setting Security protocols
4 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 | Open Source Security Guide
5 |
6 |
7 |
8 | 
9 |
10 | 
11 | 
12 |
13 |
14 | #### A guide covering Security including the applications, libraries and tools that will make you better and more efficient at securing your system operations and networks.
15 |
16 | **Note: You can easily convert this markdown file to a PDF in [VSCode](https://code.visualstudio.com/) using this handy extension [Markdown PDF](https://marketplace.visualstudio.com/items?itemName=yzane.markdown-pdf).**
17 |
18 | # Table of Contents
19 |
20 | 1. [Getting Started with with Open Source Security](https://github.com/mikeroyal/Open-Source-Security-Guide#getting-started-with-open-source-security)
21 | * [Security Tutorials & Resources](#Security-Tutorials--Resources)
22 | * [Security Certifications](#Security-Certifications)
23 | * [Books](#books)
24 | * [Playbooks](#playbooks)
25 | * [YouTube Tutorials](#youtube-tutorials)
26 |
27 | 2. [Security Standards, Frameworks and Benchmarks](https://github.com/mikeroyal/Open-Source-Security-Guide#security-standards-frameworks-and-benchmarks)
28 | * [Security Benchmarks](#Security-Benchmarks)
29 | * [Security Standards & Frameworks](#Security-Standards--Frameworks)
30 | * [Security Encryption](#Security-Encryption)
31 | * [Security Threat Models](#Security-Threat-Models)
32 | * [Threat Intelligence Platform](#threat-intelligence-platform)
33 | * [Security Orchestration Automation and Response (SOAR)](#Security-Orchestration-Automation-and-Response-SOAR)
34 | * [Security Information and Event Management (SIEM)](#Security-information-and-event-management-SIEM)
35 | * [User and Entity Behavior Analytics (UEBA)](#User-and-Entity-Behavior-Analytics-UEBA)
36 | * [Detection & Response Types](#detection--response-types)
37 | * [Evidence Collection](#evidence-collection)
38 | * [Incident Management](#incident-management)
39 | * [Sandboxing/Reversing Tools](#sandboxingreversing-tools)
40 |
41 | 3. [Security Tools](https://github.com/mikeroyal/Open-Source-Security-Guide#security-tools)
42 |
43 | 4. [Network Security](https://github.com/mikeroyal/Open-Source-Security-Guide#network-security)
44 |
45 |
46 | 
47 |
48 |
49 |
50 | ## Getting Started with Open Source Security
51 | [Back to the Top](#table-of-contents)
52 |
53 | [Open Source Security Foundation (OpenSSF)](https://openssf.org/) is a cross-industry collaboration that brings together leaders to improve the security of open source software by building a broader community, targeted initiatives, and best practices. The OpenSSF brings together open source security initiatives under one foundation to accelerate work through cross-industry support. Along with the Core Infrastructure Initiative and the Open Source Security Coalition, and will include new working groups that address vulnerability disclosures, security tooling and more.
54 |
55 | ### Security Tutorials & Resources
56 |
57 | [Back to the Top](#table-of-contents)
58 |
59 | - [Microsoft Open Source Software Security](https://www.microsoft.com/en-us/securityengineering/opensource)
60 |
61 | - [Cloudflare Open Source Security](https://cloudflare.github.io)
62 |
63 | - [The Seven Properties of Highly Secure Devices](https://www.microsoft.com/en-us/research/publication/seven-properties-highly-secure-devices/)
64 |
65 | - [How Layer 7 of the Internet Works](https://www.cloudflare.com/learning/ddos/what-is-layer-7/)
66 |
67 | - [The 7 Kinds of Security](https://www.veracode.com/sites/default/files/Resources/eBooks/7-kinds-of-security.pdf)
68 |
69 | - [The Libgcrypt Reference Manual](https://www.gnupg.org/documentation/manuals/gcrypt/)
70 |
71 | - [The Open Web Application Security Project(OWASP) Foundation Top 10](https://owasp.org/www-project-top-ten/)
72 |
73 | - [Common Weakness Enumeration (CWE) Top 25](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)
74 |
75 | - [Best Practices for Using Open Source Code from The Linux Foundation](https://www.linuxfoundation.org/blog/2017/11/best-practices-using-open-source-code/)
76 | - [awesome-cyber-security](https://github.com/fabionoth/awesome-cyber-security)
77 |
78 | - [macOS Security and Privacy Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide#openbsm-audit)
79 |
80 | - [macOS Security Compliance Project](https://github.com/usnistgov/macos_security)
81 |
82 | * [GitGuardian API Security Best Practice](https://github.com/GitGuardian/APISecurityBestPractices)
83 |
84 | * [Open Source Security Foundation (OpenSSF) npm Best Practices Guide](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md)
85 |
86 | * [Open Source Security Foundation (OpenSSF) Best Practices for Open Source Developers](https://github.com/ossf/wg-best-practices-os-developers)
87 |
88 | * [Open Source Security Foundation (OpenSSF) Identifying Security Threats in Open Source Projects](https://github.com/ossf/wg-identifying-security-threats)
89 |
90 | * [Securing The Software Supply Chain: Recommended Practices Guide for Developers | CISA, NSA, and ODNI (PDF)](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF)
91 |
92 | ### Security Certifications
93 |
94 | [Back to the Top](#table-of-contents)
95 |
96 | - [AWS Certified Security - Specialty Certification](https://aws.amazon.com/certification/certified-security-specialty/)
97 |
98 | - [Microsoft Certified: Azure Security Engineer Associate](https://docs.microsoft.com/en-us/learn/certifications/azure-security-engineer)
99 |
100 | - [Google Cloud Certified Professional Cloud Security Engineer](https://cloud.google.com/certification/cloud-security-engineer)
101 |
102 | - [Cisco Security Certifications](https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/security.html)
103 |
104 | - [The Red Hat Certified Specialist in Security: Linux](https://www.redhat.com/en/services/training/ex415-red-hat-certified-specialist-security-linux-exam)
105 |
106 | - [Linux Professional Institute LPIC-3 Enterprise Security Certification](https://www.lpi.org/our-certifications/lpic-3-303-overview)
107 |
108 | - [Cybersecurity Training and Courses from IBM Skills](https://www.ibm.com/skills/topics/cybersecurity/)
109 |
110 | - [Cybersecurity Courses and Certifications by Offensive Security](https://www.offensive-security.com/courses-and-certifications/)
111 |
112 | - [RSA Certification Program](https://community.rsa.com/community/training/certification)
113 |
114 | - [Check Point Certified Security Expert(CCSE) Certification](https://training-certifications.checkpoint.com/#/courses/Check%20Point%20Certified%20Expert%20(CCSE)%20R80.x)
115 |
116 | - [Check Point Certified Security Administrator(CCSA) Certification](https://training-certifications.checkpoint.com/#/courses/Check%20Point%20Certified%20Admin%20(CCSA)%20R80.x)
117 |
118 | - [Check Point Certified Security Master (CCSM) Certification](https://training-certifications.checkpoint.com/#/courses/Check%20Point%20Certified%20Master%20(CCSM)%20R80.x)
119 |
120 | - [Certified Cloud Security Professional(CCSP) Certification](https://www.isc2.org/Certifications/CCSP)
121 |
122 | - [Certified Information Systems Security Professional (CISSP) Certification](https://www.isc2.org/Certifications/CISSP)
123 |
124 | - [CCNP Routing and Switching](https://learningnetwork.cisco.com/s/ccnp-enterprise)
125 |
126 | - [Certified Information Security Manager(CISM)](https://www.isaca.org/credentialing/cism)
127 |
128 | - [Wireshark Certified Network Analyst (WCNA)](https://www.wiresharktraining.com/certification.html)
129 |
130 | - [Juniper Networks Certification Program Enterprise (JNCP)](https://www.juniper.net/us/en/training/certification/)
131 |
132 | - [Security Training Certifications and Courses from Udemy](https://www.udemy.com/courses/search/?src=ukw&q=secuirty)
133 |
134 | - [Security Training Certifications and Courses from Coursera](https://www.coursera.org/search?query=security&)
135 |
136 | - [Security Certifications Training from Pluarlsight](https://www.pluralsight.com/browse/information-cyber-security/security-certifications)
137 |
138 | ### Books
139 |
140 | [Back to the Top](#table-of-contents)
141 |
142 | * [Applied Incident Response](https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268/) - Steve Anson's book on Incident Response.
143 |
144 | * [Art of Memory Forensics](https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/) - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
145 |
146 | * [Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan](https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406) - by Jeff Bollinger, Brandon Enright and Matthew Valites.
147 |
148 | * [Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats](https://www.amazon.com/Digital-Forensics-Incident-Response-techniques/dp/183864900X) - by Gerard Johansen.
149 |
150 | * [Introduction to DFIR](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/) - By Scott J. Roberts.
151 |
152 | * [Incident Response & Computer Forensics, Third Edition](https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/) - The definitive guide to incident response.
153 |
154 | * [Incident Response Techniques for Ransomware Attacks](https://www.amazon.com/Incident-Response-Techniques-Ransomware-Attacks/dp/180324044X) - A great guide to build an incident response strategy for ransomware attacks. By Oleg Skulkin.
155 |
156 | * [Incident Response with Threat Intelligence](https://www.amazon.com/Incident-response-Threat-Intelligence-intelligence-based/dp/1801072957) - Great reference to build an incident response plan based also on Threat Intelligence. By Roberto Martinez.
157 |
158 | * [Intelligence-Driven Incident Response](https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-ebook-dp-B074ZRN5T7/dp/B074ZRN5T7) - By Scott J. Roberts, Rebekah Brown.
159 |
160 | * [Operator Handbook: Red Team + OSINT + Blue Team Reference](https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5/) - Great reference for incident responders.
161 |
162 | * [Practical Memory Forensics](https://www.amazon.com/Practical-Memory-Forensics-Jumpstart-effective/dp/1801070334) - The definitive guide to practice memory forensics. By Svetlana Ostrovskaya and Oleg Skulkin.
163 |
164 | * [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - Richard Bejtlich's book on IR.
165 |
166 | ### Playbooks
167 |
168 | [Back to the Top](#table-of-contents)
169 |
170 | **Playbooks** can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule.
171 |
172 | * [OSSTMM (Open Source Security Testing Methodology Manual) PDF](https://github.com/mikeroyal/Open-Source-Security-Guide/files/8834704/osstmm.en.2.1.pdf)
173 | * [NIST Technical Guide to Information Security Testing and Assessment (PDF)](https://github.com/mikeroyal/Open-Source-Security-Guide/files/8834705/nistspecialpublication800-115.pdf)
174 | * [AWS Incident Response Runbook Samples](https://github.com/aws-samples/aws-incident-response-runbooks/tree/0d9a1c0f7ad68fb2c1b2d86be8914f2069492e21) - AWS IR Runbook Samples meant to be customized per each entity using them. The three samples are: "DoS or DDoS attack", "credential leakage", and "unintended access to an Amazon S3 bucket".
175 | * [Counteractive Playbooks](https://github.com/counteractive/incident-response-plan-template/tree/master/playbooks) - Counteractive PLaybooks collection.
176 | * [GuardSIght Playbook Battle Cards](https://github.com/guardsight/gsvsoc_cirt-playbook-battle-cards) - A collection of Cyber Incident Response Playbook Battle Cards
177 | * [IRM](https://github.com/certsocietegenerale/IRM) - Incident Response Methodologies by CERT Societe Generale.
178 | * [IR Workflow Gallery](https://www.incidentresponse.org/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow consists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.
179 | * [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs).
180 | * [Phantom Community Playbooks](https://github.com/phantomcyber/playbooks) - Phantom Community Playbooks for Splunk but also customizable for other use.
181 | * [ThreatHunter-Playbook](https://github.com/OTRF/ThreatHunter-Playbook) - Playbook to aid the development of techniques and hypothesis for hunting campaigns.
182 |
183 | ### YouTube Tutorials
184 |
185 | [Back to the Top](#table-of-contents)
186 |
187 | [](https://www.youtube.com/watch?v=baZH6CX6Zno)
188 | [](https://www.youtube.com/watch?v=4CuXNs6SboU)
189 | [](https://www.youtube.com/watch?v=peTSzcAueEc)
190 | [](https://www.youtube.com/watch?v=pARGj6j0-ZY)
191 | [](https://www.youtube.com/watch?v=X-oekPI_wus)
192 | [](https://www.youtube.com/watch?v=PAwTLfR5pGU)
193 | [](https://www.youtube.com/watch?v=sdLvlKvVr7Y)
194 | [](https://www.youtube.com/watch?v=Y66aWGg2EQo)
195 | [](https://www.youtube.com/watch?v=zxAmqY63eJE)
196 | [](https://www.youtube.com/watch?v=NU9LNS3-rmo)
197 | [](https://www.youtube.com/watch?v=Urluwrkhnik)
198 | [](https://www.youtube.com/watch?v=wtF7O89RTTU)
199 |
200 |
201 | # Security Standards, Frameworks and Benchmarks
202 | [Back to the Top](https://github.com/mikeroyal/Open-Source-Security-Guide#table-of-contents)
203 |
204 | ### Security Benchmarks
205 |
206 | [Back to the Top](#table-of-contents)
207 |
208 | * [STIGs Benchmarks - Security Technical Implementation Guides](https://public.cyber.mil/stigs/)
209 |
210 | * [CIS Benchmarks - CIS Center for Internet Security](https://www.cisecurity.org/cis-benchmarks/)
211 |
212 | * [CIS Top 18 Critical Security Controls](https://www.cisecurity.org/controls/cis-controls-list)
213 |
214 | * [OSSTMM (Open Source Security Testing Methodology Manual) PDF](https://github.com/mikeroyal/Open-Source-Security-Guide/files/8834704/osstmm.en.2.1.pdf)
215 |
216 | * [NIST Technical Guide to Information Security Testing and Assessment (PDF)](https://github.com/mikeroyal/Open-Source-Security-Guide/files/8834705/nistspecialpublication800-115.pdf)
217 |
218 | * [NIST - Current FIPS](https://www.nist.gov/itl/current-fips)
219 |
220 | ### Security Standards & Frameworks
221 |
222 | [Back to the Top](#table-of-contents)
223 |
224 | * [ISO Standards Catalogue](https://www.iso.org/standards.html)
225 |
226 | [Federal Risk and Authorization Management Program (FedRAMP)](https://www.gsa.gov/technology/government-it-initiatives/fedramp) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.
227 |
228 | [Federal Information Security Management Act (FISMA)](https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural and manmade threats. This risk management framework was signed into law as part of the Electronic Government Act of 2002. Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government.
229 |
230 | [Common Criteria for Information Technology Security Evaluation (CC)](https://www.commoncriteriaportal.org/cc/) is an international standard (ISO / IEC 15408) for computer security. It allows an objective evaluation to validate that a particular product satisfies a defined set of security requirements.
231 |
232 | [ISO 22301](https://www.iso.org/en/contents/data/standard/07/51/75106.html) is the international standard that provides a best-practice framework for implementing an optimised BCMS (business continuity management system).
233 |
234 | [ISO27001](https://www.iso.org/isoiec-27001-information-security.html) is the international standard that describes the requirements for an ISMS (information security management system). The framework is designed to help organizations manage their security practices in one place, consistently and cost-effectively.
235 |
236 | [ISO 27701](https://www.iso.org/en/contents/data/standard/07/16/71670.html) specifies the requirements for a PIMS (privacy information management system) based on the requirements of ISO 27001. It is extended by a set of privacy-specific requirements, control objectives and controls. Companies that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management.
237 |
238 | [SOC 2](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html) is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your comapny/organization and the privacy of their clients.
239 |
240 | [NIST CSF](https://www.nist.gov/national-security-standards) is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing best practice.
241 |
242 | [EU GDPR (General Data Protection Regulation)](https://gdpr.eu/) is a privacy and data protection law that supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for companies/organizations to comply with.
243 |
244 | [CCPA (California Consumer Privacy Act)](https://www.oag.ca.gov/privacy/ccpa) is a data privacy law that took effect on January 1, 2020 in the State of California. It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR (General Data Protection Regulation).
245 |
246 | [Payment Card Industry (PCI) Data Security Standards (DSS)](https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-pci-dss) is a global information security standard designed to prevent fraud through increased control of credit card data.
247 |
248 | [Landlock LSM(Linux Security Module)](https://www.kernel.org/doc/html/latest/security/landlock.html) is a framework to create scoped access-control (sandboxing). Landlock is designed to be usable by unprivileged processes while following the system security policy enforced by other access control mechanisms (DAC, LSM, etc.).
249 |
250 | [Secure boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is a security standard developed by members of the PC industry to help make sure that a device boots(Unified Extensible Firmware Interface (UEFI) BIOS) using only software(such as bootloaders, OS, UEFI drivers, and utilities) that is trusted by the Original Equipment Manufacturer (OEM).
251 |
252 | ### Security Encryption
253 |
254 | [Back to the Top](#table-of-contents)
255 |
256 | **How Encryption Keys work**
257 |
258 |
259 | 
260 |
261 |
262 |
263 | * **Symmetric** is a data encryption method whereby the same private key is used to encode and decode information.
264 |
265 | * **Asymmetric** is a data encryption method that allows users to encrypt information using shared keys. For example, if you need to send a message across the internet, but you don't want anyone but the intended recipient to see what you've written.
266 |
267 | **Types of Encryption**
268 |
269 | * **Triple DES (Triple Data Encryption Algorithm)** is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block(contains 64 bits of data).
270 |
271 | * **AES (Advanced Encryption Standard)** is an algorithm that encrypts and decrypts data in blocks of 128 bits. It can do this using 128-bit, 192-bit, or 256-bit keys.
272 |
273 | * **RSA (Rivest–Shamir–Adleman)** is a type of public-key cryptography used for secure data transmission of e-mail and other digital transactions over the Internet.
274 |
275 | * **Twofish** is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It is an advanced version of Blowfish encryption.
276 |
277 | * **Format Preserving Encryption (FPE)** is a valid encryption algorithm to be used for compliance with NIST standards. It is mostly used in on-premise encryption and tokenization solutions.
278 |
279 | **Application Level Encryption**
280 |
281 | * **Hashes** is a function that converts an input of letters and numbers into an encrypted output of a fixed length. For example, algorithms such as [MD5 (Message Digest 5)](https://en.wikipedia.org/wiki/MD5) or [SHA (Secure Hash Algorithm)](https://en.wikipedia.org/wiki/Secure_hash_algorithms).
282 |
283 | * **Digital Certificates** is a file that verifies the identity of a device or user and enables encrypted connections. A digital signature is a hashing approach that uses a numeric string to provide authenticity and validate identity. Digital certificates are typically issued by a **certificate authority (CA)**, which is a trusted third-party entity that issues digital certificates for use by other parties.
284 |
285 | ### Security Threat Models
286 |
287 | [Back to the Top](#table-of-contents)
288 |
289 | **[Diamond Model of Intrusion Analysis](https://apps.dtic.mil/sti/citations/ADA586960)** is a model to describe cyber attacks. It contains 4 parts - adversary, infrastructure, capability, and target.
290 |
291 |
292 | 
293 |
294 | Diamond Model of Intrusion Analysis security model
295 |
296 |
297 | **[Cyber Kill Chain framework](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)** is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
298 |
299 |
300 | 
301 |
302 | Cyber Kill Chain security Model
303 |
304 |
305 | **[MITRE ATT&CK](https://attack.mitre.org/)** is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
306 |
307 |
308 | 
309 |
310 | MITRE ATT&CK security model
311 |
312 |
313 | **[ISO/IEC 27005 InfoSec Risk Management](https://www.iso.org/standard/75281.html)** is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information.
314 |
315 |
316 | 
317 |
318 | ISO 27005 InfoSec Risk Management
319 |
320 |
321 | ## Threat Intelligence Platform
322 |
323 | [Back to the Top](#table-of-contents)
324 |
325 | A threat intelligence platform is a solution that collects and processes threat data from multiple sources. It provides security teams with detailed information about threats like known malware. The SOAR platform can use the information from the threat intelligence platform to guide the strategy and resolution needed against critical threats.
326 |
327 |
328 | 
329 |
330 |
331 |
332 | ### Threat Intelligence Tools
333 |
334 | [Anomali ThreatStream](https://www.anomali.com/products/threatstream) is a tool that automates the threat intelligence collection and management lifecycle to speed detection, streamline investigations and increase analyst productivity.
335 |
336 | [IBM X-Force Exchange](https://www.ibm.com/products/xforce-exchange) is a threat intelligence sharing platform that you can use to research security threats, to aggregate intelligence, and to collaborate with peers. Logged in users have integrated access to all the functionality of the site: searching, commenting, Collections and sharing.
337 |
338 | [LookingGlass scoutTHREAT](https://lookingglasscyber.com/solutions/scoutthreat/) is a threat intelligence tol that offers automated ingestion and analysis of structured and unstructured threat intelligence, enabling your analysts to collaboratively develop and refine threat actor models by uncovering adversarial capabilities and motivations, tracking relevant reporting to highlight adversaries attacking sectors you care about, and mapping tactics, techniques, and procedures to personas and threat actors.
339 |
340 | [Recorded Future Intelligence Cloud](https://www.recordedfuture.com/platform) is a threat intelligence platform that uniquely combines persistent data collection, large-scale graph analysis, and the analytical acumen of Recorded Future's global research team to provide the most complete coverage of intelligence across adversaries, their infrastructure, and the organizations they target, empowering business and security leaders to act with speed and confidence.
341 |
342 | [ThreatConnect](https://threatconnect.com/) is a threat intelligence platform that has a vision for security that encompasses the most critical elements - risk, threat, and response.
343 |
344 | ### Security Orchestration Automation and Response (SOAR)
345 |
346 | [Back to the Top](#table-of-contents)
347 |
348 | SOAR solutions work by prioritizing and standardizing incident response activities so that security teams can collaborate on investigating and managing incidents. Workflows that can be handled through automation go through standardized response processes defined in playbooks.
349 |
350 |
351 | 
352 |
353 |
354 | **SOAR platforms vary depending on vendor, but all of them should include these key features:**
355 |
356 | * **Orchestration:** A SOAR solution can facilitate the connection between security and productivity tools, such as firewalls and intrusion detection tools.
357 | * **Automation:** A SOAR solution can automate standard cybersecurity workflows, such as the identification of security alerts and possible intrusions.
358 | * **Response:** A SOAR platform can work with both automated and manual processes to support a timely response to security threats.
359 | * **Integration:** A SOAR platform can work with a variety of complementary security products to support the organization’s overall security posture.
360 | * **Playbooks and automation:** SOAR helps security teams use collected data to streamline operations through security automation and the use of playbooks.
361 | * **Threat prioritization:** SOAR helps security teams prioritize and group alerts for more efficient threat detection and investigation.
362 | * **Reporting and analysis:** SOAR platforms can generate reports to help security teams identify trends in their organization.
363 | * **Security dashboard:** SOAR platforms can serve as a central dashboard to help security teams monitor and respond to alerts in a collaborative way.
364 |
365 | **SOAR Tools**
366 |
367 | [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) is a Security Orchestration, Automation, and Response (SOAR) system. It combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
368 |
369 | [IBM IBM Security QRadar SOAR](https://www.ibm.com/products/soar-platform) is a Security Orchestration, Automation, and Response (SOAR) system. It's sdesigned to help your security team respond to cyberthreats with confidence, automate with intelligence and collaborate with consistency. It guides your team in resolving incidents by codifying established incident response processes into dynamic playbooks.
370 |
371 | [Sumo Logic Cloud SOAR](https://www.sumologic.com/solutions/cloud-soar/) is a Security Operations and Automation Incident Response Platform to facilitate and expedite timely management of Incident Response with a rich library of customizable playbooks for different threats and use cases of incident response scenarios expediting and automating response time to incident response events.
372 |
373 | [Rapid7 Insightconnect](https://www.rapid7.com/products/insightconnect/) is a SOAR solution that integrates with existing solutions to orchestrate vulnerability management processes from notification to remediation. It automations functionality are managed securely end-to-end. Initially, they are encrypted in-transit via TLS and are encrypted at rest in our systems using a public key that's generated by the Orchestrator and sent to the cloud.
374 |
375 | [LogRhythm RespondX](https://logrhythm.com/products/logrhythm-respondx/) is a seamlessly integrated security orchestration, automation, and response (SOAR) that enables your team to. effectively collaborate, qualify, and manage incidents with. improved quality and speed.
376 |
377 | [Exabeam incident responder](https://www.exabeam.com/product/exabeam-incident-responder/#close) is a SOAR solution that comes with pre-defined playbooks for common incident types such as malware, phishing, and data exfiltration. These playbooks include actions that can automatically run (e.g. go get reputation data for this IP address) or guide a team member (reset this user’s password).
378 |
379 | [ServiceNow Security Operations](https://www.servicenow.com/products/security-operations.html) is a security orchestration, automation, and response (SOAR) engine built on the Now Platform. It helps security and IT teams respond faster and more efficiently to incidents and vulnerabilities, Security Operations uses intelligent workflows, automation, and a deep connection with Security Operations and IT to streamline response.
380 |
381 | [SIRP](https://www.sirp.io/) is a no-code risk-based SOAR platform that was built in response to the real-world needs of our customers. Specifically, the need to base security decisions on something more relevant than generic industry systems. Some of the leading enterprises and MSSPs trust SIRP for their security automation.
382 |
383 | [Chronicle SOAR](https://cloud.google.com/chronicle/docs/soar/soar) is a Security Orchestration Automation and Response (SOAR) solution that enables enterprises and MSSPs to gather data and security alerts from different sources by combining the following:
384 |
385 | * Orchestration and automation
386 | * Threat intelligence
387 | * Incident response
388 |
389 | [Palo Alto Networks Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar/) is a Security Orchestration Automation and Response (SOAR) solution that comes with prebuilt bundles of integrations, playbooks, dashboards, fields, subscription services and all the dependencies needed to support specific security orchestration use cases.
390 |
391 | [Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar) is a security orchestration, automation and response (SOAR) that provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
392 |
393 | [Swimlane SOAR](https://swimlane.com/platform/) is is a security orchestration, automation and response (SOAR) that helps organizations manage the growing volume of alerts more efficiently by automating time-consuming incident response processes. The solution collects security alert data from previously disparate security platforms and automatically responds to alerts using automated workflows and playbooks. It is also designed to centralize data coming back from investigation tools to allow security teams the ability to view all applicable details right from within Swimlane.
394 |
395 | ### Security Information and Event Management (SIEM)
396 |
397 | [Back to the Top](#table-of-contents)
398 |
399 | Security information and event management (SIEM) software collects log data from an organization and then uses the log data to identify, categorize and analyze incidents and events.
400 |
401 |
402 | 
403 |
404 |
405 | **SIEM software goals:**
406 |
407 | * Report on security incidents and events. The software can provide reports with event data, such as failed logins and malware activity.
408 | * Send alerts about potential security issues. The software can use set parameters to determine whether an event is a potential security issue.
409 | * An overview of notable events in your environment that represent potential security incidents.
410 | * Details of all notable events identified in your environment, so you can undertake triage.
411 | * A workbook of all open investigations, allowing you to track your progress and activity while investigating multiple security incidents.
412 | * Risk analysis that lets you score systems and users across your network to identify risks.
413 | * Threat intelligence designed to add context to your security incidents and identify known malicious actors in your environment.
414 | * Protocol intelligence using captured packet data to provide network insights that are relevant to your security investigations, allowing you to identify suspicious traffic, DNS activity and email activity.
415 | * User intelligence lets you investigate and monitor the activity of users and assets in your environment.
416 | * Web intelligence to analyze web traffic in your network.
417 |
418 | **SIEM Data sources include:**
419 |
420 | * **Network devices:** Routers, switches, bridges, wireless access points, modems, line drivers, hubs
421 | * **Servers:** Web, proxy, mail, FTP
422 | * **Security devices:** IDP/IPS, firewalls, antivirus software, content filter devices, intrusion detection appliances
423 | * **Applications:** Any software used on any of the above devices
424 | * **Cloud and SaaS solutions:** Software and services not hosted on-premises
425 | * **Remote workforce:** All devices and activity related to remote work
426 |
427 |
428 | ### SIEM Tools
429 |
430 | [Datadog Security Monitoring](https://www.datadoghq.com/security-monitoring-tools/) is a SIE Security information and event management (SIEM) that comes with real-time security monitoring tool , Datadog analyzes and evaluates security and observability data in order to identify threats and reduce risks. Use configurable out-of-the-box rules—mapped to the MITRE ATT&CK™ framework—to track common attacker techniques, such as a VM enumerating all storage buckets in your account.
431 |
432 | [Logpoint](https://www.logpoint.com/) is the only unified SIEM-SOAR solution that collects, analyzes and prioritizes security incidents to help analysts identify and resolve incidents fast and keep businesses safe. With built-in detection, investigation, and response playbooks,
433 |
434 | [Graylog](https://www.graylog.org/) is a log management to the cloud and aims at SIEM in the midmarket Log management vendor Graylog has released a SaaS version of its enterprise product as well as a new security offering. It provides answers to your team's security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.
435 |
436 | [Exabeam Fusion](https://www.exabeam.com/product/) is a powerful and advanced cloud-native SIEM and introduces New-Scale SIEM. It unites the combined capabilities of all Exabeam products such as cloud-native data storage, rapid data ingestion, hyper-quick query performance, powerful behavioral analytics, and automation that changes the way analysts do their jobs.
437 |
438 | [Elastic Security](https://www.elastic.co/security) is a platform that unifies SIEM, endpoint security, and cloud security on an open platform, equipping teams to prevent, detect, and respond to threats. It includes a security news feed, host and network data, detections, timelines, cases, and an abstracted view into the administration of the Elastic endpoint configuration.
439 |
440 | [Fortinet FortiSIEM](https://www.fortinet.com/products/siem/fortisiem)
441 |
442 | [Splunk Enterprise Security](https://www.fortinet.com/products/siem/fortisiem) is a SIEM Platofrm solution that brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches.
443 |
444 | [OSSEC The Open-source HIDS Security](https://www.ossec.net/) is a multiplatform, open source and free Host Intrusion Detection System (HIDS). It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
445 |
446 | [LogRhythm NextGen SIEM Platform](https://logrhythm.com/solutions/security/siem/) is a SIEM platform delivers comprehensive security analytics, UEBA, NTA, and SOAR within a single, integrated platform for rapid detection, response, and neutralization of threats.
447 |
448 | [Wazuh](https://wazuh.com/) is a unified XDR (Extended Detection & Response) and SIEM (Security Information and Event Management) solution that protects endpoints and cloud workloads from modern threats. It offers free community support, no license cost, and flexible scalability for enterprise users.
449 |
450 | ### User and Entity Behavior Analytics (UEBA)
451 |
452 | [Back to the Top](#table-of-contents)
453 |
454 | User and Entity Behavior Analytics (UEBA) is a category of security solutions that use innovative analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines and other entities on the corporate network with a Security Incident and Event Management (SIEM) solution.
455 |
456 | #### Three pillars of UEBA
457 |
458 | **Gartner defines UEBA solutions across three dimensions:**
459 |
460 | * **Use cases** — UEBA solutions provide information on the behavior of users and other entities in the corporate network. They should perform monitoring, detection and alerting of anomalies. And they should be applicable for multiple use cases–unlike specialized tools for employee monitoring, trusted hosts monitoring, fraud, and so on.
461 | * **Data sources** — UEBA solutions are able to ingest data from a general data repository such as a data lake or data warehouse, or through a SIEM. They shouldn't deploy agents directly in the IT environment to collect the data.
462 | * **Analytics** — UEBA solutions detect anomalies using a variety of analytics approaches–statistical models, machine learning, rules, threat signatures and more.
463 |
464 |
465 | 
466 |
467 |
468 | There is a close relation between UEBA and SIEM technologies, because UEBA relies on cross-organizational security data to perform its analyses, and this data is typically collected and stored by a SIEM.
469 |
470 | **A UEBA solution should analyze as many data sources as possible, some example data sources include:**
471 |
472 | * Authentication systems like [Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview)
473 | * Access systems like VPN and proxies
474 | * Configuration Management Databases
475 | * Human resources data–new employees, departed employees, and any data that provides additional context on users
476 | * Firewall, Intrusion Detection and Prevention Systems (IDPS)
477 | * Anti-malware and antivirus systems
478 | * Endpoint Detection and Response systems
479 | * Network Traffic Analytics
480 | * Threat Intelligence feeds
481 |
482 | ### Detection & Response Types
483 |
484 | [Back to the Top](#table-of-contents)
485 |
486 | * [Endpoint Detection and Response (EDR)](https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/) is a cybersecurity service that's referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.
487 |
488 | * [Extended detection and response (XDR)](https://www.crowdstrike.com/cybersecurity-101/what-is-xdr/) is a cybersecurity service that collects threat data from previously siloed security tools across an organization's technology stack for easier and faster investigation, threat hunting, and response. An XDR platform can collect security telemetry from endpoints, cloud workloads, network email, and more.
489 |
490 | * [Managed detection and response (MDR)](https://www.crowdstrike.com/cybersecurity-101/managed-detection-and-response-mdr/) is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response.
491 |
492 | * [Network Detection and Response (NDR)](https://www.ibm.com/topics/ndr) is a category of cybersecurity technologies that use non-signature-based methods—such as artificial intelligence, machine learning and behavioral analytics—to detect suspicious or malicious activity on the network and respond to cyber threats.
493 |
494 |
495 | 
496 |
497 |
498 | ### Evidence Collection
499 |
500 | [Back to Top](#table-of-contents)
501 |
502 | **Evidence Collection** - is a set of protocols that apply to both pre-collection and post-collection evidence. This process helps with Preserving & Collecting Evidence making sure the evidence is not destroyed or devalued as a source of information.
503 |
504 |
505 | 
506 |
507 |
508 | * [Acquire](https://github.com/fox-it/acquire) - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses [Dissect](https://github.com/fox-it/dissect) to gather that information from the raw disk, if possible.
509 | * [artifactcollector](https://github.com/forensicanalysis/artifactcollector) - The artifactcollector project provides a software that collects forensic artifacts on systems.
510 | * [bulk_extractor](https://github.com/simsong/bulk_extractor) - Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.
511 | * [Cold Disk Quick Response](https://github.com/rough007/CDQR) - Streamlined list of parsers to quickly analyze a forensic image file (`dd`, E01, `.vmdk`, etc) and output nine reports.
512 | * [CyLR](https://github.com/orlikoski/CyLR) - The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.
513 | * [Forensic Artifacts](https://github.com/ForensicArtifacts/artifacts) - Digital Forensics Artifact Repository
514 | * [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
515 | * [Live Response Collection](https://www.brimorlabs.com/tools/) - Automated tool that collects volatile data from Windows, OSX, and \*nix based operating systems.
516 | * [Margarita Shotgun](https://github.com/ThreatResponse/margaritashotgun) - Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.
517 | * [UAC](https://github.com/tclahr/uac) - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
518 |
519 | ### Incident Management
520 |
521 | [Back to Top](#table-of-contents)
522 |
523 | **Incident Management** - is the process used by development and IT Operations teams to respond to an unplanned event or service interruption and restore the service to its operational state.
524 |
525 |
526 | 
527 |
528 |
529 | * [Catalyst](https://github.com/SecurityBrewery/catalyst) - A free SOAR system that helps to automate alert handling and incident response processes.
530 | * [CyberCPR](https://www.cybercpr.com) - Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
531 | * [Cyphon](https://medevel.com/cyphon/) - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
532 | * [CORTEX XSOAR](https://www.paloaltonetworks.com/cortex/xsoar) - Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations.
533 | * [DFTimewolf](https://github.com/log2timeline/dftimewolf) - A framework for orchestrating forensic collection, processing and data export.
534 | * [DFIRTrack](https://github.com/dfirtrack/dfirtrack) - Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts.
535 | * [Fast Incident Response (FIR)](https://github.com/certsocietegenerale/FIR/) - Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
536 | * [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
537 | * [Sandia Cyber Omni Tracker (SCOT)](https://github.com/sandialabs/scot) - Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
538 | * [Shuffle](https://github.com/frikky/Shuffle) - A general purpose security automation platform focused on accessibility.
539 | * [threat_note](https://github.com/defpoint/threat_note) - Lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research.
540 | * [Zenduty](https://www.zenduty.com) - Zenduty is a novel incident management platform providing end-to-end incident alerting, on-call management and response orchestration, giving teams greater control and automation over the incident management lifecycle.
541 |
542 |
543 | ### Sandboxing/Reversing Tools
544 |
545 | [Back to Top](#table-of-contents)
546 |
547 | **Sandboxing** - is a security practice in which you use an isolated environment, or a "sandbox," for testing. Within the sandbox you run code, analyze the code in a safe, isolated environment without affecting the application, system or platform.
548 |
549 | **Reverse-engineering** - is the process of dismantling a device, system, or piece of software to see how it works. It's done primarily to analyze and gain knowledge about the way a product works but often is used to duplicate or enhance the product.
550 |
551 |
552 | 
553 |
554 |
555 | * [Any Run](https://app.any.run/) - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.
556 | * [CAPEv2](https://github.com/kevoreilly/CAPEv2) - Malware Configuration And Payload Extraction.
557 | * [Cutter](https://github.com/radareorg/cutter) - Reverse engineering platform powered by Radare2.
558 | * [Ghidra](https://github.com/NationalSecurityAgency/ghidra) - Software Reverse Engineering Framework.
559 | * [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Free powerful online sandbox by CrowdStrike.
560 | * [Intezer](https://analyze.intezer.com/#/) - Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
561 | * [Joe Sandbox (Community)](https://www.joesandbox.com/) - Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, MacOS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
562 | * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
563 | * [Metadefender Cloud](https://www.metadefender.com) - Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assessment of files.
564 | * [Radare2](https://github.com/radareorg/radare2) - Reverse engineering framework and command-line toolset.
565 | * [Reverse.IT](https://www.reverse.it/) - Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike.
566 | * [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool that ranks strings based on their relevance for malware analysis.
567 | * [Threat.Zone](https://app.threat.zone) - Cloud based threat analysis platform which include sandbox, CDR and interactive analysis for researchers.
568 | * [Valkyrie Comodo](https://valkyrie.comodo.com) - Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.
569 | * [Viper](https://github.com/viper-framework/viper) - Python based binary analysis and management framework, that works well with Cuckoo and YARA.
570 | * [Virustotal](https://www.virustotal.com) - Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.
571 |
572 | # Security Tools
573 | [Back to the Top](https://github.com/mikeroyal/Open-Source-Security-Guide#table-of-contents)
574 |
575 | [Acra](https://cossacklabs.com/acra) is a single database security suite with 9 strong security controls: application level encryption, searchable encryption, data masking, data tokenization, secure authentication, data leakage prevention, database request firewall, cryptographically signed audit logging, security events automation. It is designed to cover the most important data security requirements with SQL and NoSQL databases and distributed apps in a fast, convenient, and reliable way.
576 |
577 | [Netdata](https://github.com/netdata/netdata) is high-fidelity infrastructure monitoring and troubleshooting, real-time monitoring Agent collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices, and is perfectly safe to install on your systems mid-incident without any preparation.
578 |
579 | [Themis](https://cossacklabs.com/themis) is a free open-source high-level cryptographic library for mobile and backend platforms. Recommended by OWASP for application security, it allows protecting sensitive data (PII, locations, messages, etc.). While giving easy-to-use and hard-to-misuse API, Themis works to provide secure data storage, message exchange, socket connections, and authentication in apps across 15 platforms and languages.
580 |
581 | [OWASP](https://www.owasp.org/index.php/Main_Page) is an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
582 |
583 | [OpenSCAP](https://www.open-scap.org/) is U.S. standard maintained by [National Institute of Standards and Technology (NIST)](https://www.nist.gov/). It provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. OpenSCAP maintains great flexibility and interoperability by reducing the costs of performing security audits. Whether you want to evaluate DISA STIGs, NIST‘s USGCB, or Red Hat’s Security Response Team’s content, all are supported by OpenSCAP.
584 |
585 | [Open Vulnerability and Assessment Language](https://oval.mitre.org/) is a community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and community repositories of content. Tools and services that use OVAL provide enterprises with accurate, consistent, and actionable information to improve their security.
586 |
587 | [Trivy](https://aquasecurity.github.io/trivy/) is a comprehensive security scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.
588 |
589 | [Lynis](https://cisofy.com/lynis/) is a security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
590 |
591 | [RustScan](https://github.com/RustScan/RustScan) is a Modern Port Scanner.
592 |
593 | [gosec](https://github.com/securego/gosec) is a Golang Security Checker that inspects source code for security problems by scanning the Go AST.
594 |
595 | [Age](https://age-encryption.org/) is a simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
596 |
597 | [SOPS](https://github.com/mozilla/sops) is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
598 |
599 | [Tailnet lock](https://tailscale.com/kb/1226/tailnet-lock/) is a tool that allows you to verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet.
600 |
601 | [Sandstorm](https://sandstorm.io/) is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.
602 |
603 | [mkcert](https://mkcert.dev/) is a simple zero-config tool to make locally trusted development certificates with any names you'd like.
604 |
605 | [Tailnet](https://tailscale.com/kb/1136/tailnet/) is your private network. When you log in for the first time to Tailscale on your phone, laptop, desktop, or cloud VM, a tailnet is created. For personal users, you are a tailnet of many devices and one person. Each device gets a private Tailscale IP address in the [CGNAT](https://tailscale.com/kb/1015/100.x-addresses/) range and every device can talk directly to every other device, wherever they are on the internet.
606 |
607 | [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh/) is a service that allows Tailscale to manage the authentication and authorization of SSH connections on your tailnet.
608 |
609 | [Tailscale Funnel](https://tailscale.com/kb/1223/tailscale-funnel/) is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves.
610 |
611 | [Universal Radio Hacker (URH)](https://github.com/jopohl/urh) is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios. URH allows easy demodulation of signals combined with an automatic detection of modulation parameters making it a breeze to identify the bits and bytes that fly over the air.
612 |
613 | [Cloudflare Tunnel client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide) is a tunneling daemon that proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
614 |
615 | [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/) is a tool that allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s edge, where Cloudflare Gateway can apply advanced web filtering. It also makes it possible to apply advanced Zero Trust policies that check for a device’s health before it connects to corporate applications.
616 |
617 | [Prowler](https://github.com/prowler-cloud/prowler) is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
618 |
619 | [eNgine](https://github.com/yogeshojha/rengine) is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive UI.
620 |
621 | [Osmedeus](https://github.com/j3ssie/osmedeus) is a Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets.
622 |
623 | [OWASP Nettacker](https://github.com/OWASP/Nettacker) is a project created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP, and many other protocols in order to detect and bypass Firewall/IDS/IPS devices.
624 |
625 | [Terrascan](https://runterrascan.io/) is a static code analyzer for Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
626 |
627 | [Sliver](https://github.com/BishopFox/sliver) is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.
628 |
629 | [Payloads All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings) is a list of useful payloads and bypass for Web Application Security and Pentest/CTF.
630 |
631 | [TheHive](https://thehive-project.org/) is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion to [MISP](http://www.misp-project.org/).
632 |
633 | [MITRE ATT&CK®](https://attack.mitre.org/) is a global knowledge base of adversary tactics and techniques based on real-world security observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
634 |
635 | [CALDERA™](https://caldera.mitre.org/) is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
636 |
637 | [Pyrsia](https://pyrsia.io/) is a Decentralized Package Network that aims to secure the software supply chain of open-source dependencies by creating a system that secures open-source builds and distribution.
638 |
639 | [GitGuardian shield (ggshield)](https://github.com/GitGuardian/ggshield) is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks.
640 |
641 | [ggshield-action](https://github.com/GitGuardian/ggshield-action) is a GitGuardian Shield GitHub Action to find exposed credentials in your commits.
642 |
643 | [Atomic Red Team™](https://github.com/redcanaryco/atomic-red-team) is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
644 |
645 | [OpenCTI](https://www.opencti.io/) is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.
646 |
647 | [OWASP Amass](https://owasp.org/www-project-amass/) is a tool that performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
648 |
649 | [CrowdSec](https://www.crowdsec.net/) is an open-source and collaborative security stack leveraging the crowd power to generate a global CTI database to protect the user network. It will analyze behaviors, respond to attacks & share signals across the community.
650 |
651 | [Crowdsec Firewall Bouncer](https://github.com/crowdsecurity/cs-firewall-bouncer) is a tool that will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.
652 |
653 | **Supported firewalls:**
654 |
655 | * iptables (IPv4 heavy_check_mark / IPv6 heavy_check_mark )
656 | * nftables (IPv4 heavy_check_mark / IPv6 heavy_check_mark )
657 | * ipset only (IPv4 heavy_check_mark / IPv6 heavy_check_mark )
658 | * pf (IPV4 heavy_check_mark / IPV6 heavy_check_mark )
659 |
660 |
661 | [Pulse](https://kean.blog/pulse/home) is a powerful logging system for Apple Platforms builtin in SwiftUI. It allows you to record and inspect logs and ```URLSession``` network requests right from your iOS app. Shared logs and view them in [Pulse Pro](https://kean.blog/pulse/pro) or use remote logging to see them in real-time. Logs are stored locally and never leave your devices.
662 |
663 | [tshark.dev](https://tshark.dev/) is your complete guide to working with packet captures on the command-line.
664 |
665 | [Nebula](https://github.com/slackhq/nebula) is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.
666 |
667 | [Parca](https://parca.dev/) is a tool for continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time. Saving infrastructure cost, improving performance, and increasing reliability.
668 |
669 | [DeepFlow](https://github.com/deepflowys/deepflow) is a highly automated observability platform for cloud-native developers. Using new technologies such as eBPF, WASM, and OpenTelemetry, DeepFlow innovatively implements core mechanisms such as AutoTracing, AutoMetrics, AutoTagging, and SmartEncoding, which greatly avoids code instrumentation and significantly reduces the resource overhead of back-end data warehouses.
670 |
671 | [LGTM](https://github.com/marketplace/lgtm) is a tool that finds and prevents zero-days and other critical bugs, with customizable alerts and automated code review.
672 |
673 | [Semgrep](https://github.com/marketplace/semgrep-dev) is a code scanning at ludicrous speed. Find bugs and reachable dependency vulnerabilities. Enforce standards on every commit.
674 |
675 | [Socket Security](https://github.com/marketplace/socket-security) is a tool that protects your app from malicious open source dependencies.
676 |
677 | [ir-rescue](https://github.com/diogo-fernan/ir-rescue) is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
678 |
679 | [Live Response Collection](https://www.brimorlabs.com/tools/) is an automated tool that collects volatile data from Windows, MacOS, and \*nix based operating systems.
680 |
681 | [Margarita Shotgun](https://github.com/ThreatResponse/margaritashotgun) is a Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.
682 |
683 | [Catalyst](https://github.com/SecurityBrewery/catalyst) is a free SOAR system that helps to automate alert handling and incident response processes.
684 |
685 | [CyberCPR](https://www.cybercpr.com) is a community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
686 |
687 | [Snyk](https://github.com/marketplace/snyk) is a tool that find, fix (and prevent!) known vulnerabilities in your code.
688 |
689 | [GitProtect.io](https://github.com/marketplace/gitprotect-io) is a free Backup for GitHub that does automatic, daily repo and metadata backup - no maintenance needed: fast restore, DR, AWS, and S3 cloud storage support.
690 |
691 | [Cloudback Backup](https://github.com/marketplace/cloudback) is a tool that automatically backups of your repos, metadata and even LFS. Backup to AWS, Azure, OneDrive, GCP, and more. Also, does instant restores.
692 |
693 | [Mend Bolt](https://github.com/marketplace/whitesource-bolt) isa that detects open source vulnerabilities in real time with suggested fixes for quick remediation.
694 |
695 | [Rewind Backups for GitHub (Formerly BackHub)](https://github.com/marketplace/backhub) is a tool that does daily, automatic backups of your repos & metadata. Restore your backups with metadata in seconds + Sync to your S3 or Azure.
696 |
697 | [Renovate](https://github.com/marketplace/renovate) is a tool that keeps dependencies up-to-date with automated Pull Requests.
698 |
699 | [GuardRails](https://github.com/marketplace/guardrails) provides continuous security feedback for modern development teams.
700 |
701 | [Dnsmasq](https://dnsmasq.org/) is a tool that provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, BSD, and MacOS.
702 |
703 | [Matano](https://matano.dev/) is an Open source cloud-native security lake platform (SIEM alternative) for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS.
704 |
705 | [Hetty](https://github.com/dstotijn/hetty) is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.
706 |
707 | [Dissect](https://github.com/fox-it/dissect) is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
708 |
709 | [Acquire](https://github.com/fox-it/acquire) is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
710 |
711 | [Faraday](https://www.faradaysec.com/) is an Open Source Vulnerability Management Platform. It aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.
712 |
713 | [Security Onion](https://github.com/Security-Onion-Solutions/securityonion) is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, and case management.
714 |
715 | [OpenCTI](https://www.opencti.io/) is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.
716 |
717 | [nDPI®](http://www.ntop.org/) is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions.
718 |
719 | [Azure Sentinel](https://github.com/Azure/Azure-Sentinel) is a Cloud-native SIEM for intelligent security analytics for your entire enterprise.
720 |
721 | [NETworkManager](https://github.com/BornToBeRoot/NETworkManager) is a powerful tool for managing networks and troubleshoot network problems. It contains features like a WiFi analyzer, IP scanner, port scanner, ping monitor, traceroute, DNS lookup or a LLDP/CDP capture.
722 |
723 | [ORY Oathkeeper](https://github.com/ory/oathkeeper) is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules.
724 |
725 | [Ory Kratos](https://github.com/ory/kratos) is a developer-friendly, security-hardened and battle-test Identity, User Management and Authentication system for the Cloud. The Kratos identity server (similiar to Auth0, Okta, Firebase) with Ory-hardened authentication, MFA, FIDO2, TOTP, WebAuthn, profile management, identity schemas, social sign in, registration, account recovery, passwordless.
726 |
727 | [Ory Hydra](https://github.com/ory/hydra) is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. Ory Hydra is not an identity provider (user sign up, user login, password reset flow), but connects to your existing identity provider through a [login and consent app](https://www.ory.sh/docs/hydra/oauth2#authenticating-users-and-requesting-consent).
728 |
729 | [Ory Keto](https://github.com/ory/keto) is an Open Source (Go) implementation of [Zanzibar: Google's Consistent, Global Authorization System](https://research.google/pubs/pub48190/). It ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
730 |
731 | [Smap](https://github.com/s0md3v/Smap) is a port scanner built with shodan.io's free API. It takes same command line arguments as Nmap and produces the same output which makes it a drop-in replacament for Nmap.
732 |
733 | [IVRE](https://ivre.rocks/) is a network recon framework. That let's you build your own, self-hosted and fully-controlled alternatives to Shodan, ZoomEye, Censys, and GreyNoise. IVRE can run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more.
734 |
735 | [MISP](https://www.misp-project.org/) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
736 |
737 | [Rapid7 Nexpose](https://www.rapid7.com/products/nexpose/) is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation.
738 |
739 | [Nikto](https://github.com/sullo/nikto) is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.
740 |
741 | [Scapy](https://scapy.net/) is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer.
742 |
743 | [OSSEC HIDS(Host Intrusion Detection System)](https://www.ossec.net/) is an open source security tool that performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution.
744 |
745 | [OpenMPTCProuter](https://www.openmptcprouter.com/) is a tool that uses [MultiPath TCP (MPTCP)](https://www.multipath-tcp.org/) to really aggregate multiple Internet connections and [OpenWrt](https://openwrt.org/).
746 |
747 | [Cortex](https://thehive-project.org/) is a Powerful Observable Analysis and Active Response Engine. This solves a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response.
748 |
749 | [Scrummage](https://github.com/matamorphosis/Scrummage) is an OSINT tool that centralises search functionality from a bounty of powerful, publicly-available, third-party, [OSINT](https://osintframework.com/) websites.
750 |
751 | [Bettercap](https://www.bettercap.org/) is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking [WiFi](https://www.bettercap.org/modules/wifi/) networks, [Bluetooth Low Energy](https://www.bettercap.org/modules/ble/) devices, wireless [HID](https://www.bettercap.org/modules/hid/) devices and [Ethernet](https://www.bettercap.org/modules/ethernet) networks.
752 |
753 | [Wifiphisher](https://wifiphisher.org/) is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks.
754 |
755 | [Attack Surface Analyzer](https://github.com/microsoft/AttackSurfaceAnalyzer) is a [Microsoft](https://github.com/microsoft/) developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
756 |
757 | [Intel Owl](https://intelowl.readthedocs.io/) is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools.
758 |
759 | [Deepfence ThreatMapper](https://deepfence.io/) is a runtime tool that hunts for vulnerabilities in your cloud native production platforms(Linux, K8s, AWS Fargate and more.), and ranks these vulnerabilities based on their risk-of-exploit.
760 |
761 | [Dockle](https://containers.goodwith.tech/) is a Container Image Linter for Security and helping build the Best-Practice Docker Image.
762 |
763 | [SpiceDB](https://docs.authzed.com/) is an open source database system for managing security-critical application permissions inspired by Google's [Zanzibar](https://authzed.com/blog/what-is-zanzibar/) paper.
764 |
765 | [Virtualization-based Security (VBS)](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) is a hardware virtualization feature to create and isolate a secure region of memory from the normal operating system.
766 |
767 | [Hypervisor-Enforced Code Integrity (HVCI)](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard) is a mechanism whereby a hypervisor, such as Hyper-V, uses hardware virtualization to protect kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the hypervisor.
768 |
769 | [eBPF](https://ebpf.io/) is a technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. By making the Linux kernel programmable, infrastructure software can leverage existing layers, making them more intelligent and feature-rich without continuing to add additional layers of complexity to the system.
770 |
771 | [eBPF for Windows](https://github.com/microsoft/ebpf-for-windows) is an eBPF implementation that runs on top of Windows. eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability.
772 |
773 | [Coreboot](https://doc.coreboot.org/getting_started/index.html) is a replacement for your BIOS / UEFI with a strong focus on boot speed, security and flexibility. It is designed to boot your operating system as fast as possible without any compromise to security, with no back doors.
774 |
775 | [TianoCore](https://www.tianocore.org/) is a community project supporting an open source implementation of the Unified Extensible Firmware Interface (UEFI). EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.
776 |
777 | [OWASP Zed Attack Proxy (ZAP)](https://owasp.org/www-project-zap/) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. Great for pentesters, devs, QA, and CI/CD integration. At its core, ZAP is what is known as a "man-in-the-middle proxy."
778 |
779 | [IDA Pro(Interactive DisAssembler Professional)](https://hex-rays.com/IDA-pro/) is a programmable and multi-processor disassembler combined with a local/remote debugger and along with a complete plugin programming environment. It's a great tool for testing and discovering security vulnerabilities.
780 |
781 | [Ghidra](https://github.com/NationalSecurityAgency/ghidra) is a software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. It helps analyze any malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.
782 |
783 | [Exploit Database](https://www.exploit-db.com/) is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. The goal is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them.
784 |
785 | [Rapid7 Vulnerability & Exploit Database](https://www.rapid7.com/db/) is a curated repository of vetted computer software exploits and exploitable vulnerabilities. Technical details for over 180,000 vulnerabilities and 4,000 exploits are available for security professionals and researchers to review. These vulnerabilities are utilized by our vulnerability management tool [InsightVM](https://www.rapid7.com/products/insightvm/).
786 |
787 | [InsightVM](https://www.rapid7.com/products/insightvm/) is a data-rich resource that can amplify the other solutions in your tech stack, from SIEMs and firewalls to ticketing systems. Only InsightVM integrates with 40+ other leading technologies, and with an open RESTful API, your vulnerability data makes your other tools more valuable.
788 |
789 | [DataWave](https://github.com/NationalSecurityAgency/datawave) is an ingest/query framework that leverages [Apache Accumulo](https://accumulo.apache.org/) to provide fast, secure data access.
790 |
791 | [Emissary](https://github.com/NationalSecurityAgency/emissary) is a P2P based data-driven workflow engine that runs in a heterogeneous possibly widely dispersed, multi-tiered P2P network of compute resources. Workflow itineraries are not pre-planned as in conventional workflow engines, but are discovered as more information is discovered about the data.
792 |
793 | [MADCert](https://github.com/NationalSecurityAgency/MADCert) is a cross-platform tool that consists of a certificate generator, a file system certificate manager, and a command line interface for the purposes of testing.
794 |
795 | [BLESS(Bastion's Lambda Ephemeral SSH Service)](https://github.com/Netflix/bless) is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys.
796 |
797 | [Zuul](https://github.com/Netflix/zuul) is an [L7 application gateway](https://www.f5.com/services/resources/glossary/application-layer-gateway) that provides capabilities for dynamic routing, monitoring, resiliency, security, and more.
798 |
799 | [Chaos Monkey](https://github.com/Netflix/chaosmonkey) is a resiliency tool that helps applications tolerate random instance failures. It is fully integrated with [Spinnaker](https://www.spinnaker.io/), the continuous delivery platform. Chaos Monkey will work with any backend that Spinnaker supports (AWS, Google Compute Engine, Azure, Kubernetes, Cloud Foundry).
800 |
801 | [Vuls](https://vuls.io/) is an agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices.
802 |
803 | [SpiderFoot](https://github.com/smicallef/spiderfoot) is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
804 |
805 | [Lynis](https://cisofy.com/lynis/) is a security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation is optional.
806 |
807 | [Priam](https://github.com/Netflix/Priam) is a tool/process for backup/recovery, Token Management, and Centralized Configuration management for Cassandra.
808 |
809 | [Vector](https://github.com/Netflix/vector) is an on-host performance monitoring framework which exposes hand picked high resolution metrics to every engineer’s browser.
810 |
811 | [Atlas](https://github.com/Netflix/atlas) is an in-memory dimensional [time series database](https://en.wikipedia.org/wiki/Time_series_database).
812 |
813 | [SELinux](https://github.com/SELinuxProject/selinux) is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.
814 |
815 | [AppArmor](https://www.apparmor.net/) is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.
816 |
817 | [Control Groups(Cgroups)](https://www.redhat.com/sysadmin/cgroups-part-one) is a Linux kernel feature that allows you to allocate resources such as CPU time, system memory, network bandwidth, or any combination of these resources for user-defined groups of tasks (processes) running on a system.
818 |
819 | [EarlyOOM](https://github.com/rfjakob/earlyoom) is a daemon for Linux that enables users to more quickly recover and regain control over their system in low-memory situations with heavy swap usage.
820 |
821 | [Libgcrypt](https://www.gnupg.org/related_software/libgcrypt/) is a general purpose cryptographic library originally based on code from GnuPG.
822 |
823 | [Kali Linux](https://www.kali.org/) is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services.
824 |
825 | [Pi-hole](https://pi-hole.net/) is a [DNS sinkhole](https://en.wikipedia.org/wiki/DNS_Sinkhole) that protects your devices from unwanted content, without installing any client-side software, intended for use on a private network. It is designed for use on embedded devices with network capability, such as the Raspberry Pi, but it can be used on other machines running Linux and cloud implementations.
826 |
827 | [Aircrack-ng](https://www.aircrack-ng.org/) is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
828 |
829 | [Burp Suite](https://portswigger.net/burp) is a leading range of cybersecurity tools.
830 |
831 | [KernelCI](https://foundation.kernelci.org/) is a community-based open source distributed test automation system focused on upstream kernel development. The primary goal of KernelCI is to use an open testing philosophy to ensure the quality, stability and long-term maintenance of the Linux kernel.
832 |
833 | [Continuous Kernel Integration project](https://github.com/cki-project) helps find bugs in kernel patches before they are commited to an upstram kernel tree. We are team of kernel developers, kernel testers, and automation engineers.
834 |
835 | [Cilium](https://cilium.io/) uses eBPF to accelerate getting data in and out of L7 proxies such as Envoy, enabling efficient visibility into API protocols like HTTP, gRPC, and Kafka.
836 |
837 | [Hubble](https://github.com/cilium/hubble) is a Network, Service & Security Observability for Kubernetes using eBPF.
838 |
839 | [Istio](https://istio.io/) is an open platform to connect, manage, and secure microservices. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes and Mesos.
840 |
841 | [Certgen](https://github.com/cilium/certgen) is a convenience tool to generate and store certificates for Hubble Relay mTLS.
842 |
843 | [syzkaller](https://github.com/google/syzkaller) is an unsupervised, coverage-guided kernel fuzzer.
844 |
845 | [SchedViz](https://github.com/google/schedviz) is a tool for gathering and visualizing kernel scheduling traces on Linux machines.
846 |
847 | [oss-fuzz](https://google.github.io/oss-fuzz/) aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
848 |
849 | [OSSEC](https://www.ossec.net/) is a free, open-source host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response.
850 |
851 | [Metasploit Project](https://www.metasploit.com/) is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
852 |
853 | [Wfuzz](https://github.com/xmendez/wfuzz) was created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
854 |
855 | [Nmap](https://nmap.org/) is a security scanner used to discover hosts and services on a computer network, thus building a "map" of the network.
856 |
857 | [Patchwork](https://github.com/getpatchwork/patchwork) is a web-based patch tracking system designed to facilitate the contribution and management of contributions to an open-source project.
858 |
859 | [pfSense](https://www.pfsense.org/) is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.
860 |
861 | [Snowpatch](https://github.com/ruscur/snowpatch) is a continuous integration tool for projects using a patch-based, mailing-list-centric git workflow. This workflow is used by a number of well-known open source projects such as the Linux kernel.
862 |
863 | [Snort](https://www.snort.org/) is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.
864 |
865 | [Wireshark](https://www.wireshark.org/) is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
866 |
867 | [Tink](https://github.com/google/tink) is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and harder to misuse.
868 |
869 | [ClamAV](https://www.clamav.net/) is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
870 |
871 | # Network Security
872 | [Back to the Top](https://github.com/mikeroyal/Open-Source-Security-Guide#table-of-contents)
873 |
874 |
875 | 
876 |
877 |
878 |
879 | ## Networking Tools & Concepts
880 |
881 | [Qt Network Authorization](https://doc.qt.io/qt-6/qtnetworkauth-index.html) is a tool that provides a set of APIs that enable Qt applications to obtain limited access to online accounts and HTTP services without exposing users' passwords.
882 |
883 | [cURL](https://curl.se/) is a computer software project providing a library and command-line tool for transferring data using various network protocols(HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP or SMTPS). cURL is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, media players and is the Internet transfer engine for thousands of software applications in over ten billion installations.
884 |
885 | [cURL Fuzzer](https://github.com/curl/curl-fuzzer) is a quality assurance testing for the curl project.
886 |
887 | [DoH](https://github.com/curl/doh) is a stand-alone application for DoH (DNS-over-HTTPS) name resolves and lookups.
888 |
889 | [Authelia](https://www.authelia.com/) is an open-source highly-available authentication server providing single sign-on capability and two-factor authentication to applications running behind [NGINX](https://nginx.org/en/).
890 |
891 | [nginx(engine x)](https://nginx.org/en/) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev.
892 |
893 | [Proxmox Virtual Environment(VE)](https://www.proxmox.com/en/) is a complete open-source platform for enterprise virtualization. It inlcudes a built-in web interface that you can easily manage VMs and containers, software-defined storage and networking, high-availability clustering, and multiple out-of-the-box tools on a single solution.
894 |
895 | [Wireshark](https://www.wireshark.org/) is a very popular network protocol analyzer that is commonly used for network troubleshooting, analysis, and communications protocol development. Learn more about the other useful [Wireshark Tools](https://wiki.wireshark.org/Tools) available.
896 |
897 | [HTTPie](https://github.com/httpie/httpie) is a command-line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. HTTPie is designed for testing, debugging, and generally interacting with APIs & HTTP servers.
898 |
899 | [HTTPStat](https://github.com/reorx/httpstat) is a tool that visualizes curl statistics in a simple layout.
900 |
901 | [Wuzz](https://github.com/asciimoo/wuzz) is an interactive cli tool for HTTP inspection. It can be used to inspect/modify requests copied from the browser's network inspector with the "copy as cURL" feature.
902 |
903 | [Websocat](https://github.com/vi/websocat) is a ommand-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions.
904 |
905 | - Connection: In networking, a connection refers to pieces of related information that are transferred through a network. This generally infers that a connection is built before the data transfer (by following the procedures laid out in a protocol) and then is deconstructed at the at the end of the data transfer.
906 |
907 | - Packet: A packet is, generally speaking, the most basic unit that is transferred over a network. When communicating over a network, packets are the envelopes that carry your data (in pieces) from one end point to the other.
908 |
909 | Packets have a header portion that contains information about the packet including the source and destination, timestamps, network hops. The main portion of a packet contains the actual data being transferred. It is sometimes called the body or the payload.
910 |
911 | - Network Interface: A network interface can refer to any kind of software interface to networking hardware. For instance, if you have two network cards in your computer, you can control and configure each network interface associated with them individually.
912 |
913 | A network interface may be associated with a physical device, or it may be a representation of a virtual interface. The "loop-back" device, which is a virtual interface to the local machine, is an example of this.
914 |
915 | - LAN: LAN stands for "local area network". It refers to a network or a portion of a network that is not publicly accessible to the greater internet. A home or office network is an example of a LAN.
916 |
917 | - WAN: WAN stands for "wide area network". It means a network that is much more extensive than a LAN. While WAN is the relevant term to use to describe large, dispersed networks in general, it is usually meant to mean the internet, as a whole.
918 | If an interface is connected to the WAN, it is generally assumed that it is reachable through the internet.
919 |
920 | - Protocol: A protocol is a set of rules and standards that basically define a language that devices can use to communicate. There are a great number of protocols in use extensively in networking, and they are often implemented in different layers.
921 |
922 | Some low level protocols are TCP, UDP, IP, and ICMP. Some familiar examples of application layer protocols, built on these lower protocols, are HTTP (for accessing web content), SSH, TLS/SSL, and FTP.
923 |
924 | - Port: A port is an address on a single machine that can be tied to a specific piece of software. It is not a physical interface or location, but it allows your server to be able to communicate using more than one application.
925 |
926 | - Firewall: A firewall is a program that decides whether traffic coming into a server or going out should be allowed. A firewall usually works by creating rules for which type of traffic is acceptable on which ports. Generally, firewalls block ports that are not used by a specific application on a server.
927 |
928 | - NAT: Network address translation is a way to translate requests that are incoming into a routing server to the relevant devices or servers that it knows about in the LAN. This is usually implemented in physical LANs as a way to route requests through one IP address to the necessary backend servers.
929 |
930 | - VPN: Virtual private network is a means of connecting separate LANs through the internet, while maintaining privacy. This is used as a means of connecting remote systems as if they were on a local network, often for security reasons.
931 |
932 | ## Network Layers
933 |
934 | While networking is often discussed in terms of topology in a horizontal way, between hosts, its implementation is layered in a vertical fashion throughout a computer or network. This means is that there are multiple technologies and protocols that are built on top of each other in order for communication to function more easily. Each successive, higher layer abstracts the raw data a little bit more, and makes it simpler to use for applications and users. It also allows you to leverage lower layers in new ways without having to invest the time and energy to develop the protocols and applications that handle those types of traffic.
935 |
936 | As data is sent out of one machine, it begins at the top of the stack and filters downwards. At the lowest level, actual transmission to another machine takes place. At this point, the data travels back up through the layers of the other computer. Each layer has the ability to add its own "wrapper" around the data that it receives from the adjacent layer, which will help the layers that come after decide what to do with the data when it is passed off.
937 |
938 | One method of talking about the different layers of network communication is the OSI model. OSI stands for [Open Systems Interconnect](https://en.wikipedia.org/wiki/OSI_model).This model defines seven separate layers. The layers in this model are:
939 |
940 | - Application: The application layer is the layer that the users and user-applications most often interact with. Network communication is discussed in terms of availability of resources, partners to communicate with, and data synchronization.
941 |
942 | - Presentation: The presentation layer is responsible for mapping resources and creating context. It is used to translate lower level networking data into data that applications expect to see.
943 |
944 | - Session: The session layer is a connection handler. It creates, maintains, and destroys connections between nodes in a persistent way.
945 |
946 | - Transport: The transport layer is responsible for handing the layers above it a reliable connection. In this context, reliable refers to the ability to verify that a piece of data was received intact at the other end of the connection. This layer can resend information that has been dropped or corrupted and can acknowledge the receipt of data to remote computers.
947 |
948 | - Network: The network layer is used to route data between different nodes on the network. It uses addresses to be able to tell which computer to send information to. This layer can also break apart larger messages into smaller chunks to be reassembled on the opposite end.
949 |
950 | - Data Link: This layer is implemented as a method of establishing and maintaining reliable links between different nodes or devices on a network using existing physical connections.
951 |
952 | - Physical: The physical layer is responsible for handling the actual physical devices that are used to make a connection. This layer involves the bare software that manages physical connections as well as the hardware itself (like Ethernet).
953 |
954 | The TCP/IP model, more commonly known as the Internet protocol suite, is another layering model that is simpler and has been widely adopted.It defines the four separate layers, some of which overlap with the OSI model:
955 |
956 | - Application: In this model, the application layer is responsible for creating and transmitting user data between applications. The applications can be on remote systems, and should appear to operate as if locally to the end user.
957 | The communication takes place between peers network.
958 |
959 | - Transport: The transport layer is responsible for communication between processes. This level of networking utilizes ports to address different services. It can build up unreliable or reliable connections depending on the type of protocol used.
960 |
961 | - Internet: The internet layer is used to transport data from node to node in a network. This layer is aware of the endpoints of the connections, but does not worry about the actual connection needed to get from one place to another. IP addresses are defined in this layer as a way of reaching remote systems in an addressable manner.
962 |
963 | - Link: The link layer implements the actual topology of the local network that allows the internet layer to present an addressable interface. It establishes connections between neighboring nodes to send data.
964 |
965 | ### Interfaces
966 | **Interfaces** are networking communication points for your computer. Each interface is associated with a physical or virtual networking device. Typically, your server will have one configurable network interface for each Ethernet or wireless internet card you have. In addition, it will define a virtual network interface called the "loopback" or localhost interface. This is used as an interface to connect applications and processes on a single computer to other applications and processes. You can see this referenced as the "lo" interface in many tools.
967 |
968 | ## Network Protocols
969 |
970 | Networking works by piggybacks on a number of different protocols on top of each other. In this way, one piece of data can be transmitted using multiple protocols encapsulated within one another.
971 |
972 | **Media Access Control(MAC)** is a communications protocol that is used to distinguish specific devices. Each device is supposed to get a unique MAC address during the manufacturing process that differentiates it from every other device on the internet. Addressing hardware by the MAC address allows you to reference a device by a unique value even when the software on top may change the name for that specific device during operation. Media access control is one of the only protocols from the link layer that you are likely to interact with on a regular basis.
973 |
974 | **The IP protocol** is one of the fundamental protocols that allow the internet to work. IP addresses are unique on each network and they allow machines to address each other across a network. It is implemented on the internet layer in the IP/TCP model. Networks can be linked together, but traffic must be routed when crossing network boundaries. This protocol assumes an unreliable network and multiple paths to the same destination that it can dynamically change between. There are a number of different implementations of the protocol. The most common implementation today is IPv4, although IPv6 is growing in popularity as an alternative due to the scarcity of IPv4 addresses available and improvements in the protocols capabilities.
975 |
976 | **ICMP: internet control message protocol** is used to send messages between devices to indicate the availability or error conditions. These packets are used in a variety of network diagnostic tools, such as ping and traceroute. Usually ICMP packets are transmitted when a packet of a different kind meets some kind of a problem. Basically, they are used as a feedback mechanism for network communications.
977 |
978 | **TCP: Transmission control protocol** is implemented in the transport layer of the IP/TCP model and is used to establish reliable connections. TCP is one of the protocols that encapsulates data into packets. It then transfers these to the remote end of the connection using the methods available on the lower layers. On the other end, it can check for errors, request certain pieces to be resent, and reassemble the information into one logical piece to send to the application layer. The protocol builds up a connection prior to data transfer using a system called a three-way handshake. This is a way for the two ends of the communication to acknowledge the request and agree upon a method of ensuring data reliability. After the data has been sent, the connection is torn down using a similar four-way handshake. TCP is the protocol of choice for many of the most popular uses for the internet, including WWW, FTP, SSH, and email. It is safe to say that the internet we know today would not be here without TCP.
979 |
980 | **UDP: User datagram protocol** is a popular companion protocol to TCP and is also implemented in the transport layer. The fundamental difference between UDP and TCP is that UDP offers unreliable data transfer. It does not verify that data has been received on the other end of the connection. This might sound like a bad thing, and for many purposes, it is. However, it is also extremely important for some functions. It’s not required to wait for confirmation that the data was received and forced to resend data, UDP is much faster than TCP. It does not establish a connection with the remote host, it simply fires off the data to that host and doesn't care if it is accepted or not. Since UDP is a simple transaction, it is useful for simple communications like querying for network resources. It also doesn't maintain a state, which makes it great for transmitting data from one machine to many real-time clients. This makes it ideal for VOIP, games, and other applications that cannot afford delays.
981 |
982 | **HTTP: Hypertext transfer protocol** is a protocol defined in the application layer that forms the basis for communication on the web. HTTP defines a number of functions that tell the remote system what you are requesting. For instance, GET, POST, and DELETE all interact with the requested data in a different way.
983 |
984 | **FTP: File transfer protocol** is in the application layer and provides a way of transferring complete files from one host to another. It is inherently insecure, so it is not recommended for any externally facing network unless it is implemented as a public, download-only resource.
985 |
986 | **DNS: Domain name system** is an application layer protocol used to provide a human-friendly naming mechanism for internet resources. It is what ties a domain name to an IP address and allows you to access sites by name in your browser.
987 |
988 | **SSH: Secure shell** is an encrypted protocol implemented in the application layer that can be used to communicate with a remote server in a secure way. Many additional technologies are built around this protocol because of its end-to-end encryption and ubiquity. There are many other protocols that we haven't covered that are equally important. However, this should give you a good overview of some of the fundamental technologies that make the internet and networking possible.
989 |
990 | [REST(REpresentational State Transfer)](https://www.codecademy.com/articles/what-is-rest) is an architectural style for providing standards between computer systems on the web, making it easier for systems to communicate with each other.
991 |
992 | [JSON Web Token (JWT)](https://jwt.io) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
993 |
994 | [OAuth 2.0](https://oauth.net/2/) is an open source authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Amazon, Google, Facebook, Microsoft, Twitter GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account.
995 |
996 | ## Virtualization
997 |
998 | [KVM (for Kernel-based Virtual Machine)](https://www.linux-kvm.org/page/Main_Page) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko.
999 |
1000 | [QEMU](https://www.qemu.org) is a fast processor emulator using a portable dynamic translator. QEMU emulates a full system, including a processor and various peripherals. It can be used to launch a different Operating System without rebooting the PC or to debug system code.
1001 |
1002 | [Hyper-V](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/) enables running virtualized computer systems on top of a physical host. These virtualized systems can be used and managed just as if they were physical computer systems, however they exist in virtualized and isolated environment. Special software called a hypervisor manages access between the virtual systems and the physical hardware resources. Virtualization enables quick deployment of computer systems, a way to quickly restore systems to a previously known good state, and the ability to migrate systems between physical hosts.
1003 |
1004 | [VirtManager](https://github.com/virt-manager/virt-manager) is a graphical tool for managing virtual machines via libvirt. Most usage is with QEMU/KVM virtual machines, but Xen and libvirt LXC containers are well supported. Common operations for any libvirt driver should work.
1005 |
1006 | [oVirt](https://www.ovirt.org) is an open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.Founded by Red Hat as a community project on which Red Hat Enterprise Virtualization is based allowing for centralized management of virtual machines, compute, storage and networking resources, from an easy-to-use web-based front-end with platform independent access.
1007 |
1008 | [Xen](https://github.com/xen-project/xen) is focused on advancing virtualization in a number of different commercial and open source applications, including server virtualization, Infrastructure as a Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances, and automotive/aviation.
1009 |
1010 | [Ganeti](https://github.com/ganeti/ganeti) is a virtual machine cluster management tool built on top of existing virtualization technologies such as Xen or KVM and other open source software. Once installed, the tool assumes management of the virtual instances (Xen DomU).
1011 |
1012 | [Packer](https://www.packer.io/) is an open source tool for creating identical machine images for multiple platforms from a single source configuration. Packer is lightweight, runs on every major operating system, and is highly performant, creating machine images for multiple platforms in parallel. Packer does not replace configuration management like Chef or Puppet. In fact, when building images, Packer is able to use tools like Chef or Puppet to install software onto the image.
1013 |
1014 | [Vagrant](https://www.vagrantup.com/) is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the "works on my machine" excuse a relic of the past. It provides easy to configure, reproducible, and portable work environments built on top of industry-standard technology and controlled by a single consistent workflow to help maximize the productivity and flexibility of you and your team.
1015 |
1016 | [VMware Workstation](https://www.vmware.com/products/workstation-pro.html) is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems; it enables users to set up virtual machines on a single physical machine, and use them simultaneously along with the actual machine.
1017 |
1018 | ## Contribute
1019 |
1020 | - [x] If would you like to contribute to this guide simply make a [Pull Request](https://github.com/mikeroyal/Open-Source-Security-Guide/pulls).
1021 |
1022 |
1023 | ## License
1024 |
1025 | [Back to the Top](https://github.com/mikeroyal/Open-Source-Security-Guide#table-of-contents)
1026 |
1027 | Distributed under the [Creative Commons Attribution 4.0 International (CC BY 4.0) Public License](https://creativecommons.org/licenses/by/4.0/).
1028 |
--------------------------------------------------------------------------------
/Security Glossary.md:
--------------------------------------------------------------------------------
1 | A list of Key Information Security Terms for Software and Hardware. **Sources:** [NIST Federal Information Processing Standards (FIPS)](https://csrc.nist.gov/publications/fips), the [Special Publication (SP) 800 series](https://csrc.nist.gov/publications/sp), [NIST Interagency Reports (NISTIRs)](https://csrc.nist.gov/publications/nistir), and from the [Committee for National Security Systems Instruction 4009 (CNSSI-4009)](https://www.cnss.gov/CNSS/issuances/Instructions.cfm).
2 |
3 |
4 | A
5 |
6 | Access – Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
7 | SOURCE: CNSSI-4009
8 |
9 | Access Authority – An entity responsible for monitoring and granting access privileges for other authorized entities.
10 | SOURCE: CNSSI-4009
11 |
12 | Access Control – The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
13 | SOURCE: FIPS 201; CNSSI-4009
14 |
15 | Access Control List (ACL) –
16 | * 1. A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
17 | * 2. A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
18 | SOURCE: CNSSI-4009
19 |
20 | Access Control Lists (ACLs) – A register of:
21 | * 1. users (including groups, machines, processes) who have been given permission to use a particular system resource, and
22 | * 2. the types of access they have been permitted.
23 | SOURCE: SP 800-12
24 |
25 | Access Control Mechanism – Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized
26 | access and permit authorized access to an information system.
27 | SOURCE: CNSSI-4009
28 |
29 | Access Level – A category within a given security classification limiting entry or
30 | system connectivity to only authorized persons.
31 | SOURCE: CNSSI-4009
32 |
33 | Access List – Roster of individuals authorized admittance to a controlled area.
34 | SOURCE: CNSSI-4009
35 |
36 | Access Point – A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.
37 | SOURCE: SP 800-48; SP 800-121
38 |
39 | Access Profile – Association of a user with a list of protected objects the user may access.
40 | SOURCE: CNSSI-4009
41 |
42 | Access Type – Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.
43 | SOURCE: CNSSI-4009
44 |
45 | Activation Data – Private data, other than keys, that are required to access cryptographic modules.
46 | SOURCE: SP 800-32
47 |
48 | Active Attack – An attack that alters a system or data.
49 | SOURCE: CNSSI-4009
50 |
51 | Active Content – Software in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.
52 | SOURCE: CNSSI-4009
53 |
54 | Active Security Testing – Security testing that involves direct interaction with a target, such as sending packets to a target.
55 | SOURCE: SP 800-115
56 |
57 | Advanced Encryption Standard – (AES) The Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
58 | SOURCE: FIPS 197
59 |
60 | B
61 |
62 | Blacklisting – The process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.
63 | SOURCE: CNSSI-4009
64 |
65 | Blue Team –
66 | * 1. The group responsible for defending an enterprise’s use of
67 | information systems by maintaining its security posture against a
68 | group of mock attackers (i.e., the Red Team). Typically the Blue
69 | Team and its supporters must defend against real or simulated
70 | attacks 1) over a significant period of time, 2) in a representative
71 | operational context (e.g., as part of an operational exercise), and 3)
72 | according to rules established and monitored with the help of a
73 | neutral group refereeing the simulation or exercise (i.e., the White
74 | Team).
75 | * 2. The term Blue Team is also used for defining a group of
76 | individuals that conduct operational network vulnerability
77 | evaluations and provide mitigation techniques to customers who have
78 | a need for an independent technical review of their network security
79 | posture. The Blue Team identifies security threats and risks in the
80 | operating environment, and in cooperation with the customer,
81 | analyzes the network environment and its current state of security
82 | readiness. Based on the Blue Team findings and expertise,
83 | they provide recommendations that integrate into an overall
84 | community security solution to increase the customer's cyber security
85 | readiness posture. Often times a Blue Team is employed by itself or
86 | prior to a Red Team employment to ensure that the customer's
87 | networks are as secure as possible before having the Red Team test
88 | the systems.
89 | SOURCE: CNSSI-4009
90 |
91 | Body of Evidence (BoE) – The set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.
92 | SOURCE: CNSSI-4009
93 |
94 | Boundary – Physical or logical perimeter of a system.
95 | SOURCE: CNSSI-4009
96 |
97 | C
98 |
99 | Capstone Policies – Those policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.
100 | SOURCE: NISTIR-7497
101 |
102 | Capture – The method of taking a biometric sample from an end user.
103 | Source: FIPS 201
104 |
105 | Certificate Management – Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed.
106 | SOURCE: CNSSI-4009
107 |
108 | Certificate Management Authority – A Certification Authority (CA) or a Registration Authority (RA).
109 | SOURCE: SP 800-32
110 |
111 | Certificate Policy (CP) – A specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.
112 | SOURCE: CNSSI-4009; SP 800-32
113 |
114 | Certification Practice Statement – A statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).
115 | SOURCE: SP 800-32; CNSSI-4009
116 |
117 | Certification Test and Evaluation – Software and hardware security tests conducted during development of an information system.
118 | SOURCE: CNSSI-4009
119 |
120 | Checksum – Value computed on data to detect error or manipulation.
121 | SOURCE: CNSSI-4009
122 |
123 | Cloud Computing - A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service Provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models
124 | SOURCE(s): NISTIR 8006 under Cloud computing from NIST SP 800-145 - Adapted
125 |
126 | Cryptographic Initialization – Function used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode.
127 | SOURCE: CNSSI-4009
128 |
129 | Cryptographic Key – A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.
130 | SOURCE: SP 800-63
131 |
132 | D
133 |
134 | Data – A subset of information in an electronic format that allows it to be retrieved or transmitted.
135 | SOURCE: CNSSI-4009
136 |
137 | Data Aggregation – Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.
138 | SOURCE: CNSSI-4009
139 |
140 | Data Origin Authentication – The process of verifying that the source of the data is as claimed and that the data has not been modified.
141 | SOURCE: CNSSI-4009
142 |
143 | Data Security – Protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
144 | SOURCE: CNSSI-4009
145 |
146 | Data Transfer Device (DTD) – Fill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.
147 | SOURCE: CNSSI-4009
148 |
149 | Denial of Service (DoS) – The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)
150 | SOURCE: CNSSI-4009
151 |
152 | Differential Power Analysis – An analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.
153 | SOURCE: FIPS 140-2
154 |
155 | Digital Evidence – Electronic information stored or transferred in digital form.
156 | SOURCE: SP 800-72
157 |
158 | Digital Forensics – The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
159 | SOURCE: SP 800-86
160 |
161 | Digital Signature – An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.
162 | SOURCE: SP 800-63
163 |
164 | Disaster Recovery Plan (DRP) – A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
165 | SOURCE: SP 800-34
166 |
167 | E
168 |
169 | Embedded Cryptographic System – Cryptosystem performing or controlling a function as an integral element of a larger system or subsystem.
170 | SOURCE: CNSSI-4009
171 |
172 | Embedded Cryptography - Cryptography engineered into an equipment or system whose basic function is not cryptographic.
173 | SOURCE: CNSSI-4009
174 |
175 | Encipher – Convert plain text to cipher text by means of a cryptographic system.
176 | SOURCE: CNSSI-4009
177 |
178 | Encode – Convert plain text to cipher text by means of a code.
179 | SOURCE: CNSSI-4009
180 |
181 | Encrypt – Generic term encompassing encipher and encode.
182 | SOURCE: CNSSI-4009
183 |
184 | Encrypted Key – A cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.
185 | SOURCE: FIPS 140-2
186 |
187 | Encrypted Network – A network on which messages are encrypted (e.g., using DES, AES, or other appropriate algorithms) to prevent reading by unauthorized parties.
188 | SOURCE: SP 800-32
189 |
190 | Encryption – Conversion of plaintext to ciphertext through the use of a cryptographic algorithm.
191 | SOURCE: FIPS 185
192 |
193 | End-to-End Encryption – Encryption of information at its origin and decryption at its intended destination without intermediate decryption.
194 | SOURCE: CNSSI-4009
195 |
196 | End-to-End Security – Safeguarding information in an information system from point of origin to point of destination.
197 | SOURCE: CNSSI-4009
198 |
199 | F
200 |
201 | [Federal Risk and Authorization Management Program (FedRAMP)](https://www.gsa.gov/technology/government-it-initiatives/fedramp) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.
202 |
203 | [Federal Information Security Management Act (FISMA)](https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural and manmade threats. This risk management framework was signed into law as part of the Electronic Government Act of 2002. Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government.
204 |
205 | False Positive – An alert that incorrectly indicates that malicious activity is occurring.
206 | SOURCE: SP 800-61
207 |
208 | False Rejection – In biometrics, the instance of a security system failing to verify or identify an authorized person. It does not necessarily indicate a flaw in the biometric system; for example, in a fingerprint-based system, an incorrectly aligned finger on the scanner or dirt on the scanner can result in the scanner misreading the fingerprint, causing a false rejection of the authorized user.
209 | SOURCE: CNSSI-4009
210 |
211 | Federal Information Processing Standard (FIPS) – A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.
212 | SOURCE: FIPS 201
213 |
214 | File Encryption – The process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided.
215 | SOURCE: SP 800-111
216 |
217 | File Name Anomaly –
218 | * 1. A mismatch between the internal file header and its external
219 | extension.
220 | * 2. A file name inconsistent with the content of the file (e.g., renaming
221 | a graphics file with a non-graphical extension.
222 | SOURCE: SP 800-72
223 |
224 | File Protection – Aggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents.
225 | SOURCE: CNSSI-4009
226 |
227 | File Security – Means by which access to computer files is limited to authorized users only.
228 | SOURCE: CNSSI-4009
229 |
230 | Firewall – A gateway that limits access between networks in accordance with local security policy.
231 | SOURCE: SP 800-32
232 |
233 | Forensics – The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
234 | SOURCE: CNSSI-4009
235 |
236 | G
237 |
238 | Gateway – Interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures.
239 | SOURCE: CNSSI-4009
240 |
241 | H
242 |
243 | Handshaking Procedures – Dialogue between two information systems for synchronizing, identifying, and authenticating themselves to one another.
244 | SOURCE: CNSSI-4009
245 |
246 | Hard Copy Key – Physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).
247 | SOURCE: CNSSI-4009
248 |
249 | Hardening – Configuring a host’s operating systems and applications to reduce the host’s security weaknesses.
250 | SOURCE: SP 800-123
251 |
252 | Hardware – The physical components of an information system.
253 | SOURCE: CNSSI-4009
254 |
255 | High Availability – A failover feature to ensure availability during device or component interruptions.
256 | SOURCE: SP 800-113
257 |
258 | I
259 |
260 | Identification – The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.
261 | SOURCE: SP 800-47
262 |
263 | Identifier – Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers.
264 | SOURCE: FIPS 201
265 |
266 | Identity – A set of attributes that uniquely describe a person within a given context.
267 | SOURCE: SP 800-63
268 |
269 | Identity – The set of physical and behavioral characteristics by which an individual is uniquely recognizable.
270 | SOURCE: FIPS 201
271 |
272 | Identity Token – Smart card, metal key, or other physical object used to authenticate identity.
273 | SOURCE: CNSSI-4009
274 |
275 | Identity Validation – Tests enabling an information system to authenticate users or resources.
276 | SOURCE: CNSSI-4009
277 |
278 | Incident – A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
279 | SOURCE: SP 800-61
280 |
281 | Intellectual Property – Creations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.
282 | SOURCE: CNSSI-4009
283 |
284 | Internet Protocol (IP) – Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.
285 | SOURCE: CNSSI-4009
286 |
287 | Intranet – A private network that is employed within the confines of a given enterprise (e.g., internal to a business or agency).
288 | SOURCE: CNSSI-4009
289 |
290 | Intrusion – Unauthorized act of bypassing the security mechanisms of a system.
291 | SOURCE: CNSSI-4009
292 |
293 | Intrusion Detection Systems (IDS) – Hardware or software product that gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations.)
294 | SOURCE: CNSSI-4009
295 |
296 | J
297 |
298 | Jamming – An attack in which a device is used to emit electromagnetic energy on a wireless network’s frequency to make it unusable.
299 | SOURCE: SP 800-48
300 |
301 | K
302 |
303 | Kerberos – A means of verifying the identities of principals on an open network. It accomplishes this without relying on the authentication, trustworthiness, or physical security of hosts while assuming all packets can be read, modified and inserted at will. It uses a trust broker model and symmetric cryptography to provide authentication and authorization of users and systems on the network.
304 | SOURCE: SP 800-95
305 |
306 | Key – A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.
307 | SOURCE: SP 800-63
308 |
309 | Key Logger – A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.
310 | SOURCE: SP 800-82
311 |
312 | L
313 |
314 | Least Privilege – The security objective of granting users only those accesses they need to perform their official duties.
315 | SOURCE: SP 800-12
316 |
317 | Level of Protection – Extent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are:
318 | * 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures.
319 | * 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures.
320 | * 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.
321 | SOURCE: CNSSI-4009
322 |
323 | Likelihood of Occurrence – In Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.
324 | SOURCE: CNSSI-4009
325 |
326 | M
327 |
328 | Malicious Code – Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
329 | SOURCE: SP 800-53; CNSSI-4009
330 |
331 | Malware – A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.
332 | SOURCE: SP 800-83
333 |
334 | Man-in-the-middle Attack (MitM) – A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.
335 | SOURCE: CNSSI-4009
336 |
337 | Mandatory Access Control (MAC) – A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.
338 | SOURCE: SP 800-44
339 |
340 | Mandatory Access Control – Access controls (which) are driven by the results of a comparison between the user’s trust level or clearance and the sensitivity designation of the information.
341 | SOURCE: FIPS 191
342 |
343 | Masquerading –When an unauthorized agent claims the identity of another agent, it is said to be masquerading.
344 | SOURCE: SP 800-19
345 |
346 | Multilevel Security (MLS) – A concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.
347 | SOURCE: CNSSI-4009
348 |
349 | N
350 |
351 | Needs Assessment (IT Security Awareness and Training) – A process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources
352 | to meet the identified awareness and training needs.
353 | SOURCE: SP 800-50
354 |
355 | Network – Information system(s) implemented with a collection of interconnected components. Such components may include routers,
356 | hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
357 | SOURCE: SP 800-53; CNSSI-4009
358 |
359 | Network Access – Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).
360 | SOURCE: SP 800-53; CNSSI-4009
361 |
362 | Network Access Control (NAC) – A feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device.
363 | SOURCE: SP 800-41
364 |
365 | Network Address Translation (NAT) – A routing technology used by many firewalls to hide internal system addresses from an external network through use of an addressing schema.
366 | SOURCE: SP 800-41
367 |
368 | O
369 |
370 | Object Identifier – A specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.
371 | SOURCE: SP 800-32
372 |
373 | Open Storage – Any storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).
374 | SOURCE: CNSSI-4009
375 |
376 | Operating System (OS) Fingerprinting – Analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target.
377 | SOURCE: SP 800-115
378 |
379 | Operations Code – Code composed largely of words and phrases suitable for general communications use.
380 | SOURCE: CNSSI-4009
381 |
382 | Organization – A federal agency, or, as appropriate, any of its operational elements.
383 | SOURCE: FIPS 200
384 |
385 | Overwrite Procedure – A software process that replaces data previously stored on storage media with a predetermined set of meaningless data or random patterns.
386 | SOURCE: CNSSI-4009
387 |
388 | P
389 |
390 | Packet Filter – A routing device that provides access control functionality for host addresses and communication sessions.
391 | SOURCE: SP 800-41
392 |
393 | Packet Sniffer – Software that observes and records network traffic.
394 | SOURCE: CNSSI-4009
395 |
396 | Password – A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.
397 | SOURCE: FIPS 181
398 |
399 | Password Cracking – The process of recovering secret passwords stored in a computer system or transmitted over a network.
400 | SOURCE: SP 800-115
401 |
402 | Password Protected – The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.
403 | SOURCE: SP 800-72
404 |
405 | Patch – An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
406 | SOURCE: SP 800-123
407 |
408 | Payload – The input data to the CCM generation-encryption process that is both authenticated and encrypted.
409 | SOURCE: SP 800-38C
410 |
411 | Penetration Testing – A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.
412 | SOURCE: SP 800-53A
413 |
414 | Personal Identification Number (PIN) – A secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.
415 | SOURCE: FIPS 201
416 |
417 | Phishing - A digital form of social engineering that uses authentic looking but bogus emails to request information from users or direct them to a fake Web site that requests information.
418 | SOURCE: SP 800-115
419 |
420 | Plaintext – Data input to the Cipher or output from the Inverse Cipher.
421 | SOURCE: FIPS 197
422 |
423 | Policy Mapping – Recognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.
424 | SOURCE: SP 800-15
425 |
426 | Port – A physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).
427 | SOURCE: FIPS 140-2
428 |
429 | Port Scanning – Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).
430 | SOURCE: CNSSI-4009
431 |
432 | Portal – A high-level remote access architecture that is based on a server that offers teleworkers access to one or more applications through a single centralized interface.
433 | SOURCE: SP 800-46
434 |
435 | Privilege – A right granted to an individual, a program, or a process.
436 | SOURCE: CNSSI-4009
437 |
438 | Privileged Accounts – Individuals who have access to set “access rights” for users on a given system. Sometimes referred to as system or network administrative accounts.
439 | SOURCE: SP 800-12
440 |
441 | Probe – A technique that attempts to access a system to learn something about the system.
442 | SOURCE: CNSSI-4009
443 |
444 | Profiling – Measuring the characteristics of expected activity so that changes to it can be more easily identified.
445 | SOURCE: SP 800-61; CNSSI-4009
446 |
447 | Protocol – Set of rules and formats, semantic and syntactic, permitting information systems to exchange information.
448 | SOURCE: CNSSI-4009
449 |
450 | Protocol Data Unit – A unit of data specified in a protocol and consisting of protocol information and, possibly, user data.
451 | SOURCE: FIPS 188
452 |
453 | Protocol Entity – Entity that follows a set of rules and formats (semantic and syntactic) that determines the communication behavior of other entities.
454 | SOURCE: FIPS 188
455 |
456 | Proxy – A proxy is an application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a Hyper Text Transfer Protocol (HTTP) proxy used for Web access, and a Simple Mail Transfer Protocol (SMTP) proxy used for email.
457 | SOURCE: SP 800-44
458 |
459 | Proxy Server – A server that services the requests of its clients by forwarding those requests to other servers.
460 | SOURCE: CNSSI-4009
461 |
462 | Public Domain Software – Software not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator.
463 | SOURCE: CNSSI-4009
464 |
465 | Public Key - A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and which may be made public; it is used to verify a digital signature; this key is mathematically linked with a corresponding private key.
466 | SOURCE: FIPS 196
467 |
468 | Q
469 |
470 | Qualitative Assessment – Use of a set of methods, principles, or rules for assessing risk based on nonnumeric categories or levels.
471 | SOURCE: SP 800-30
472 |
473 | Quality of Service – The measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a Service-Level Agreement between a user and a service provider, so as to satisfy specific customer application requirements. Note: These properties may include throughput (bandwidth), transit delay (latency), error rates, priority, security, packet loss, packet jitter, etc.
474 | SOURCE: CNSSI-4009
475 |
476 | Quantitative Assessment – Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.
477 | SOURCE: SP 800-30
478 |
479 | Quarantine – Store files containing malware in isolation for future disinfection or examination.
480 | SOURCE: SP 800-69
481 |
482 | R
483 |
484 | Radio Frequency Identification (RFID) – A form of automatic identification and data capture (AIDC) that uses electric or magnetic fields at radio frequencies to transmit information.
485 | SOURCE: SP 800-98
486 |
487 | Read – Fundamental operation in an information system that results only in the flow of information from an object to a subject.
488 | SOURCE: CNSSI-4009
489 |
490 | Read Access – Permission to read information in an information system.
491 | SOURCE: CNSSI-4009
492 |
493 | Real-Time Reaction – Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access.
494 | SOURCE: CNSSI-4009
495 |
496 | Red Team – A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
497 | SOURCE: CNSSI-4009
498 |
499 | Red Team Exercise – An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.
500 | SOURCE: SP 800-53
501 |
502 | Remote Access – Access to an organizational information system by a user (or an information system acting on behalf of a user) communicating through an external network (e.g., the Internet).
503 | SOURCE: SP 800-53
504 |
505 | Repository – A database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.
506 | SOURCE: SP 800-32
507 |
508 | Risk Assessment – The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
509 | SOURCE: SP 800-53; SP 800-53A; SP 800-37
510 |
511 | Risk Assessment Methodology – A risk assessment process, together with a risk model, assessment approach, and analysis approach.
512 | SOURCE: SP 800-30
513 |
514 | Risk Assessment Report – The report which contains the results of performing a risk assessment or the formal output from the process of assessing risk.
515 | SOURCE: SP 800-30
516 |
517 | Root Certification Authority – In a hierarchical Public Key Infrastructure, the Certification Authority whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.
518 | SOURCE: SP 800-32; CNSSI-4009
519 |
520 | Rootkit – A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.
521 | SOURCE: CNSSI-4009
522 |
523 | S
524 | Safeguards – Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
525 | SOURCE: SP 800-53; SP 800-37; FIPS 200; CNSSI-4009
526 |
527 | Sandboxing- A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
528 | SOURCE: CNSSI-4009
529 |
530 | Scanning – Sending packets or requests to another system to gain information to be used in a subsequent attack.
531 | SOURCE: CNSSI-4009
532 |
533 | Secure Socket Layer (SSL) – A protocol used for protecting private information during transmission via the Internet.
534 | * **Note:** SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support
535 | SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”
536 | SOURCE: CNSSI-4009
537 |
538 | Security Content Automation Protocol (SCAP) – A method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.
539 | SOURCE: CNSSI-4009
540 |
541 | Signature – A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.
542 | SOURCE: SP 800-61
543 |
544 | Signature Certificate – A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.
545 | SOURCE: SP 800-32; CNSSI-4009
546 |
547 | Smart Card – A credit card-sized card with embedded integrated circuits that can store, process, and communicate information.
548 | SOURCE: CNSSI-4009
549 |
550 | Social Engineering – An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
551 | SOURCE: SP 800-61
552 |
553 | Spam - Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
554 | SOURCE: CNSSI-4009
555 |
556 | Spoofing – “IP spoofing” refers to sending a network packet that appears to come from a source other than its actual source.
557 | SOURCE: SP 800-48
558 |
559 | Spyware – Software that is secretly or surreptitiously installed into an information system to gather information on individuals or
560 | organizations without their knowledge; a type of malicious code.
561 | SOURCE: SP 800-53; CNSSI-4009
562 |
563 | Steganography – The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.
564 | SOURCE: SP 800-72; SP 800-101
565 |
566 | Supply Chain Attack – Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.
567 | SOURCE: CNSSI-4009
568 |
569 | System Development Life Cycle (SDLC) – The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.
570 | SOURCE: SP 800-34; CNSSI-4009
571 |
572 | System Development Methodologies – Methodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.
573 | SOURCE: CNSSI-4009
574 |
575 | System Integrity – The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
576 | SOURCE: SP 800-27
577 |
578 | T
579 |
580 | Tailoring – The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.
581 | SOURCE: SP 800-37; SP 800-53; SP 800-53A; CNSSI-4009
582 |
583 | Tampering – An intentional event resulting in modification of a system, its intended behavior, or data.
584 | SOURCE: CNSSI-4009
585 |
586 | Telecommunications – Preparation, transmission, communication, or related processing of information (writing, images, sounds, or other data) by electrical, electromagnetic, electromechanical, electro-optical, or electronic means.
587 | SOURCE: CNSSI-4009
588 |
589 | Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
590 | SOURCE: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-
591 | 37; CNSSI-4009
592 |
593 | Threat Analysis – The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.
594 | SOURCE: SP 800-27
595 |
596 | Threat Assessment – Formal description and evaluation of threat to an information system.
597 | SOURCE: SP 800-53; SP 800-18
598 |
599 | Threat Monitoring – Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.
600 | SOURCE: CNSSI-4009
601 |
602 | Token – Something that the Claimant possesses and controls (typically a key or password) that is used to authenticate the Claimant’s identity.
603 | SOURCE: SP 800-63
604 |
605 | Tracking Cookie – A cookie placed on a user’s computer to track the user’s activity on different Web sites, creating a detailed profile of the user’s behavior.
606 | SOURCE: SP 800-83
607 |
608 | Traffic Analysis – A form of passive attack in which an intruder observes information about calls (although not necessarily the contents of the messages) and makes inferences, e.g., from the source and destination numbers, or frequency and length of the messages.
609 | SOURCE: SP 800-24
610 |
611 | Trojan Horse – A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
612 | SOURCE: CNSSI-4009
613 |
614 | U
615 |
616 | Unauthorized Access – Unauthorized Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.
617 | SOURCE: FIPS 191
618 |
619 | Unauthorized Disclosure – An event involving the exposure of information to entities not authorized access to the information.
620 | SOURCE: SP 800-57 Part 1; CNSSI-4009
621 |
622 | User – Individual or (system) process authorized to access an information system.
623 | SOURCE: FIPS 200
624 |
625 | User Initialization – A function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).
626 | SOURCE: SP 800-57 Part 1
627 |
628 | V
629 |
630 | Validation – The process of demonstrating that the system under consideration meets in all respects the specification of that system.
631 | SOURCE: FIPS 201
632 |
633 | Verification – Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).
634 | SOURCE: CNSSI-4009
635 |
636 | Virtual Machine (VM) – Software that allows a single host to run one or more guest operating systems.
637 | SOURCE: SP 800-115
638 |
639 | Virtual Private Network (VPN) – A virtual network, built on top of existing physical networks, that provides a secure communications tunnel for data and other information transmitted between networks.
640 | SOURCE: SP 800-46
641 |
642 | Virus – A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt
643 | or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk.
644 | SOURCE: CNSSI-4009
645 |
646 | Vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
647 | SOURCE: SP 800-53; SP 800-53A; SP 800-37; SP 800-60; SP 800-115; FIPS 200
648 |
649 | Vulnerability Assessment –Formal description and evaluation of the vulnerabilities in an information system.
650 | SOURCE: SP 800-53; SP 800-37
651 |
652 | W
653 |
654 | Web Content Filtering Software – A program that prevents access to undesirable Web sites, typically by comparing a requested Web site address to a list of known bad Web sites.
655 | SOURCE: SP 800-69
656 |
657 | Web Risk Assessment – Processes for ensuring Web sites are in compliance with applicable policies.
658 | SOURCE: CNSSI-4009
659 |
660 | Whitelist – A list of discrete entities, such as hosts or applications that are known to be benign and are approved for use within an organization and/or information system.
661 | SOURCE: SP 800-128
662 |
663 | Wi-Fi Protected Access-2 (WPA2) – The approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.
664 | SOURCE: CNSSI-4009
665 |
666 | Wireless Local Area Network (WLAN) – A group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, APs, and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring.
667 | SOURCE: SP 800-153
668 |
669 | Write – Fundamental operation in an information system that results only in the flow of information from a subject to an object. See Access Type.
670 | SOURCE: CNSSI-4009
671 |
672 | Write Access – Permission to write to an object in an information system.
673 | SOURCE: CNSSI-4009
674 |
675 | Z
676 |
677 | Zeroize – To remove or eliminate the key from a cryptographic equipment or fill device.
678 | SOURCE: CNSSI-4009
679 |
680 | Zombie – A program that is installed on a system to cause it to attack other systems.
681 | SOURCE: SP 800-83
682 |
--------------------------------------------------------------------------------