Adventures in Open Source Security Software - Jordan Wright

it seemed calm on the outside but trust me inside I was screaming so so we're a good ship now thank you for coming to the talk adventures and open source security my name is Jordan I'm a an R&D engineer at duo security specifically on the dual labs team and there's my twitter handle if you like to follow people on twitter now I get it you know I understand that we're all adults I know my place is the last talk of the day I know that I'm the person between you and the after party so I'm kind of a thief of joy today so that's one role that I play but another role that I play is that I broken heart emoji

open-source and these are some of the projects that have made so this talk is about open source I wanted to kind of show you my place in my path into open source and so I've made a few projects the the top left is a honey pot for elasticsearch instances called elastic honey and the top right is a Twitter bot that monitors paste bin for a password dumps it's called dump mine and on the bottom left we have a fishing open-source fishing framework called Go Fish that I made a few years ago and that'll be kind of the basis for for a lot of the talk today and then on the bottom I have an email library that any

needs to make for golang because it turns out to send phishing emails you have to have an email library so so it was kind of doing that first and then leading that into into Go Fish so this is kind of the talk in a nutshell my goal was was to kind of explain here's what the open-source security community looks like here's how to get involved here's why you might want to get involved and here are some tips that I've learned kind of the hard way along the way with my 3 or 4 years of maintaining a pretty large project which was which was go fish so we're going to start talking about the current state of open-source security tools and

then we're going to talk about how you can get involved yourself in different roles in the community so let's start by talking about some great open-source security tools some examples that maybe y'all have heard and the places that have fits into a standard environment so the first is kind of around infrastructure management there's a few great examples Facebook's OS query is a really good example this is an on box lightweight agent that makes it really simple to report up telemetry about various parts of the operating system kind of their pitch is you can query your infrastructure like a database which is extremely powerful and then you have Google's Santa which is an unbox a plication whitelisting solution

for Macs so if I'm in corporate security I can say I want a whitelist these applications and only these applications anything else throw an alert so that we can figure out that there was something that wasn't approved running on this box then we have security monkey which is Netflix's solution to how do I secure my AWS environment there's a lot of pieces if you've ever played with AWS before but get involved each with their own vernacular their own naming their own XML it's just a rabbit hole that goes deeper and deeper so Netflix makes this really easy letting you create policy set alerts and see kind of in real time changes that are happening across what

may be otherwise very unwieldly infrastructure and last I included algo it's not quite an infrastructure management is more of like a VPN out-of-the-box solution so let's say I think we've all been the hair if you're sitting in this room at some point we've said it'd be cool to set up my own personal VPN like that'd be kind of nice and then you start reading into the documentation you realize that you're running these open SSL incantations to get these certificates and keys and it all just gets wild and you don't know which software to use how to set up all these configuration options just to get a little bit of privacy on the internet so that's what algo tries to solve it's

a set of playbooks and it's a set of configuration options to make kind of a a best practices VPN very very easy on something like ec2 or digitalocean so these are examples with big communities behind them and we're going to talk about community a lot in this talk because that's one of the things open source security great is that we have all these people contributing to these core sets of problems another category is insecurity research which was kind of the best way that I could phrase man-in-the-middle proxy which is a generic proxy it's extremely popular in the debugging troubleshooting security research environment because it makes it easy to stand up at a man-in-the-middle that can sit between

let's say a mobile application and the servers that is calling out to and it'll show you what requests are being made what responses are being made and let you modify that traffic in the middle and then we have Intelligence Sharing so so previously we had talked about we talked about tools you know things that you would stand up things that you would run to do something in your environment but that's not the full story of what we can do in the open source world I know that maybe not everyone in here is a programmer maybe not everyone in here loves to build tools in their spare time but one thing you do have is knowledge

you have information about how you configured something in your environment you have knowledge about maybe some settings that you use that really came in handy for something people have these problems and so you can share this out and make everyone's lives much easier here are two examples the first is a database of yard rules and real quickly if you see that format of name slash something else if you put github.com in front of these that's will take you directly to the project that's kind of how they're laid out so yarrow rules are an open source format for building rules that match on content so IO sees indicators of compromise are really big whenever it comes to yards I can say

match this hash match this file man but whenever you start into a roll the question is okay what the heck am I supposed to match on you know if I can match on anything what do I look for well this isn't an open source repository of those rules that people curate and maintain as a collection and then I think most people are probably familiar I've heard of the the Twitter personality Swift on security they maintain a sis Mon config which standardizes alerting in event information for Windows environments it's extremely useful there's a screenshot of the of the github there I'm sure you can all immediately read it and so it's not really it's not meant to

be read it's more it's more to show like this is what that project may look like it's it's a configuration file but there's context around it here's why you might want to use this here's some ways that you can roll it out so that's intelligence-sharing and the there's also security awareness training I mentioned go fish before and I know what you're all thinking Jordan you just put this in there because you made it yes that's exactly why I put it in there I'm extremely biased I think I think it solves a real problem but I worked really hard on this so I wanted to include it in the presentation but this is just another example of

taking a problem that everyone has in making the solution that everyone can use that's really the whole idea behind this talk and behind open source security is finding those problems in building the solutions and this is a really great repository it's called awesome hacking and this is sharing knowledge again but this is nothing more than a huge readme that's categorized into different topics of security with sub lists below that so let's say you're interested in Maur investigations there's a whole list of open source projects for that let's say you're interested in pcap analysis a whole list of projects for that so this is if you're looking for a place to go find a ton of really good tools I'd

start there so we talked about all this and again the point is just to emphasize that you don't have to just say I'm not a programmer so I can't contribute to open source that's that's not true everyone in here knows something that's valuable and there's also points towards a bigger trend which is we're seeing this move away from traditional I have a box for everything and more towards an open source sock I think there's there's a a workshop right now called open sock here at b-sides that's going on that's that's about how to maintain a sock using nothing but open source tools it's incredible that we're at a point now where we can do that and we can do that

effectively and and we have communities behind these tools so we're not feeling siloed behind support channels for example so so this is the importance of it let's talk about why you should contribute to open source so it's this big ecosystem what's what's in it for you the first is that you can improve or develop new skills now this doesn't have to just be security knowledge right for example there's a whole bunch of JavaScript frameworks for building websites you know maybe you also heard of some of them there was jQuery it was it was one probably everyone's familiar with there's react and there's angular and to be honest there's probably been five more released since I started this

talk so if you're ever interested in like hey I'd be interested in learning how to do something like that applying it to a security tool is a really great opportunity because it takes those two things that you're interested in security and in front-end development and lets you put those two together for the sake of learning something new in fact go fish's is written in go Lang which is the best name I could have ever come up with but I didn't know go before I started building go fish I had heard really cool things about it on Hacker News and I knew you know all the hipsters were using it and so I said well let's give it a shot let's see

let's see how it works and it was very much a trial and error overtime if you look at the code added and code deleted for those early stages it's significant but over time I got better and I was able to become proficient and go largely because I was working on this open source project so these skills can lead into a natural resume that you can have now let me caveat this by saying I've heard some kind of damaging trends on Twitter where damaging trends happen where people are saying you should always only go for people with a github that's not true that's not the case you know a github is an addition if you if you

enjoy contributing to open source a github can be something that you it's a portfolio for you you can show this to hiring managers you can show this to prospective companies and you can say this is something that I'm interested in here's proof of things that I've done in the past to give you an idea of what kind of work I'm capable of it is not a replacement for for you know all the previous work experience that you have but it's something public that you can show off if you're looking to step up in your career and this is the most important one which is joining a community and then giving back to the community this could be the wider

security audience this could be the security industry at large or it could be a community around a specific tool just a couple weeks ago I got back from a conference in San Francisco called queer econ and it was around OS query and it had about a hundred and twenty people they're all there to figure out what are the next steps for this tool what does the ecosystem look like putting some faces to names and that was incredible because you got to meet some of these people that are working on such an incredible tool and it showed that you you have a lot of networking opportunities you can start talking about other problems that you're having it's amazing how that works if I

have a problem that I use always query to solve chances are if you're using OS query we have similar problems right and we can talk about those and we can combat those together and this is kind of a bigger point to that idea of community the software is good don't get me wrong I'm proud of the software that I make I'm proud that it's being used that's great but the community is even better you know the interactions that I have with people being able to meet new people being able to share in that experience of building something together and having it being used by any number of different companies is incredibly rewarding because it's a

networking opportunity for one but it is just a privilege of getting to share that information and working towards a common goal so if nothing more just know the community certainly makes it all worth it and I mentioned this before but here's one of the best parts about open-source let's really think about the now I mean how many unique security problems do we really think we have in this room how many of us want to have strong authentication to your applications everyone how many you don't have to reach your hand oh you do how many of us want to control access to to our data make sure it's not being exfiltrated by attackers everyone how many people want to know if all of your

devices in your environment are up-to-date everyone has that these are fundamental fundamental problems that everybody in this room shares it doesn't change across companies we're not trying to beat each other we're trying to beat the people that are going after all of us that's kind of the motivation behind pairing together and saying let's tackle this together not siloed where we all make our own versions of the same thing we all have our own scripts to do the same thing let's build it let's maintain it let's improve it and let's get something really high-quality that we can share to a wider audience of people who maybe don't have the same experiences that we do you know again

speaking from go-fish the goal was not to help enterprises that have a large security budget the goal was to help the mom-and-pop shops who don't have a budget at all be able to get quality fishing simulations for their own company so that they can stand a chance whenever they're setting up their email infrastructure we can do that as a security industry and I think there's a lot of opportunity maybe not responsibility but but definitely opportunity to do that and now let's talk about the anatomy of an open source community what does it actually look like when you're building one of these out the structure looks something like this there's really three roles that you can play in a community you can be a

user of the software where you would create issues you would create feature requests you would give feedback you have contributors which are actively committing code committing ideas of how something could be implemented and then you have maintain errs and maintainer czar kind of the architects and the the stewards of the project they make decisions you know merge in the request and they control the code itself in the direction for the project this was taken from a website from github then I'm gonna share a little bit later but this is kind of called the contributor funnel right and it's the idea of the scale of each of these groups you're gonna have a lot more users than you do contributors by far

you're gonna have a lot of users that you never hear from because the software either did or did not do what they wanted it to do and then they moved on or are still just happily using your software contributors are a smaller group they're gonna be a little bit more vocal whenever it comes to support they're gonna be more vocal whenever it comes to committing code and finally maintainer czar at the smallest group generally numbering just take a number out of the air at 10 and in Go Fish I'd say there's there's one or two poor people poor maintained errs to the project so but it goes up so every maintainer is a contributor every

contributor is likely going to be a user and every user is certainly a person so let's talk about getting involved so we talked about what a community looks like how do we get involved in one because this can seem really daunting you know if you have these big projects that have established communities or very active it could seem kind of scary getting involved to a community I've been there OS query was my example I had not used it a whole bunch before I went to query con but I wanted to figure out how do I jump in and this is how you can get involved the we're gonna take this each roll we're gonna start out how to get

involved as a user then a contributor and then maintain them so let's start with a user the first is creating good issues this is so important you know github allows you to make issue templates where it says here's what information I need to help troubleshoot but even as a user taking that initiative and over-communicating can be extremely effective at a high level just what did you do you know what did you expect to happen what actually happened instead and what additional information you can provide you'd be surprised I've gotten issues that say what if I did Iran Go Fish what did I expect to happen it worked what didn't what happen instead it did not

any additional information I got nothing like that that that's really difficult from a maintainer perspective because there's endless information endless different routes that that could go and it causes a whole bunch of round trips of asking for information and asking for new logs to get to the problem so the more that can be provided upfront the better and providing help to others I've seen the same issue come up multiple times and it's incredible to see users jump in and say I had that issue here's how I fixed it or hey I filed this issue you know three weeks ago you can point to it and we're already kind of working through it that's the community that I'm talking

about where you don't have to wait for me to get home from work and get all of my responsibilities taken care of so that I can answer you you have a whole network of people that are there to help and build with each other and then you can provide projects feedback so I love him for receiving feedback constructive feedback like like if it's if it has a goal of it then well I'll take go fish go fish sucks I'll take that - its feedback you know and it starts a conversation but sending in issues if you see something wrong any feature requests if there's ever a point whenever you're using the software and you think it'd be cool if send that in

because there's a good chance that the maintainer Xand contributors either haven't thought of that before or have thought about it before and have addressed it in some way even if it's we've decided that's not the direction we're going sometimes it's yeah that's coming out next release you know get hyped it's gonna be awesome and finally letting people know about the project it's really exciting to get to see people tweeting about projects to see people posting blog posts on here's how I set this up that alone is is is a even setting of a blog post of how you set something up could be argued as you're contributing to the project because you're helping people they're getting

people involved and you're getting the word out so at the very least just being active and being engaged can be really beneficial to the community so you've used the repository for a little while the tool or whatever resource it is it solves a real problem and you have an idea for something that you want to do typically this is how it works I have an idea for something that I want to fix now I want to be a contributor I want to give some code or give some changes or some fixes how do I do that so if you don't know where to start github makes it kind of easy they have a few different issues labels that you can

use as a maintainer to help identify this is a good issue for someone just joining the project maybe it's a documentation fix maybe it's this log message has a typo in it maybe moving something from one part of the code to the other it's not a big architectural feature but it's something just to get your feet wet and to feel like okay I'm starting to get a handle on this I can explore this a little bit more and these are a good first issue and Help Wanted github will point these out whenever you're looking at a repository it'll say here's how many issues need help you can click on that and it'll filter them automatically so you can start finding

things to knock out but don't be afraid to start small you don't have to be able to read this this is actually a pull request that I did - an update specification so how to update software called tough and I was reading through the spec and and I realized a very critical bug that was that the indentation for the bullets was off a little bit that's a big deal right so I stopped you know when did to get hit github you know for that project real quick man made my own copy fix the indentation and submitted it back up it took maybe ten minutes but that's a contribution because otherwise that maintainer would be either not knowing

that that's there or having to fix it themselves which takes more time away from what they're already working on so even though small documentation fixes can be huge and incredibly appreciated by the maintainer and don't be afraid to ask for help this is legible this is a poor request that I got a couple weeks ago and it was to add sending delays to the way we send emails but what I really liked about it was that the person submitting the poor request said here's what I'm trying to do here's my approach here's where it's been talked about in the past but I want to hear your feedback I don't know if I'm doing this the right way I've had

people say this is my first time using golang I don't know if I'm doing things correctly ask for help because I love to give help and maintain errs in general love to give help they they want your efforts to be recognized and to be used so they'll guide you along in this case I was able to say here's how we can get from A to B you know I I know the code better than they do so I can help guide them through that process so that they can be contributing quicker which is a really good win for everyone and now let's talk about getting involved as a maintainer so you what you've contributed to a project and you said it

I want to branch out I want to publish my own tool or my own resource of some sort how do I decide what I want to open-source these are the three things that we talked about earlier and they're kind of in terms of scale to some extent it can be as simple as knowledge about a topic I want to publish a blog post on how I did X that's really useful because people are going to be searching for that whenever they run into the same problem that you did and want to know how to fix it and then you have scripts you know how many of us have ever written a simple script to get something

done at work I'm also going to seam all of y'all probably will raise it but most of y'all yes have written some sort of a simple script to do something there's a chance that someone's gonna have that same exact need later you know let's say I'm earlier there was a talk about parsing Google's access logs into a readable format a lot of people use G suite a lot of people use Google's products and they want to parse those access logs that was a great example of something they decided to open source so that people can use later on maybe in the process of using it someone finds a bug that you didn't know about and they help you fix it and

finally there's full products these are the the OS queries these are the the go fish of the Metasploit or any number these big open source projects that have been around for a while they start small and they build up over time but you can certainly commit to I want to start working on this solution that's going to have multiple different components along the way I'd encourage working from left to right but it's it's 100% up to you and keep in mind you've likely already built something that you can't open source if you're sitting in this talk and you're wondering okay well I gotta go build something new that's probably not the case I would encourage you to

find something that solves a problem for you something that you found useful something that you're legally allowed to open-source and just you can put it up on github it doesn't take a lot of effort you don't have to worry about filling in all the different unit tests and all this stuff around it put it out so that it sits there that's the hardest part is pushing the the commit button and then it's it's downhill from there downhill yeah yes you're at least 20% of the way there so now let's talk about some tips for maintaining product projects so this is from my own experience things that I've battled with things that I've done wrong and then had

to circle back from that may help you when maintaining projects in the future the first is to respond quickly and kindly now I'm not saying that you have to give a paragraph response to everybody but it helps to respond with something if someone files an issue or a poor request you want to at least acknowledge their presence you know say hey I hear you I see it I don't have an answer right now but give me a few weeks and I'll get back to you that alone is perfectly reasonable the most frustrating thing I guess from a user's perspective that I've had is whenever I submit an issue and I just never get a response ever which is it's

that's fine that's allowed but even if you could say you know is better than nothing right you know if you come back and say I'm just I'm not gonna do that because then that's already better than not getting any response at all but it helps to be thank them for reaching out that's always usually how I'll start a response thank you for reaching out I'll put in my tagline thanks again Jordan right and that small that small note says you're not a burden you're not a problem I'm here to help you and also don't be afraid to ask for more information don't think that you have to solve a problem using what you have I'm

very very quick to say I need more logs I need more information from this particular aspect which can help you troubleshoot a little bit quicker because your time is valuable you know don't think that you have to spend it trying to do everything yourself and be transparent the what you see on the right is a screenshot from an issue that I opened because I manage everything through issues where I wanted to talk about a big change moving forward with Go Fish in regard to transparency with how phishing campaigns are run okay long story short and with this it was it was less of to get approval and more of to make it very clear here's why I'm doing

what I'm doing here's the goals that it solves and here's what you can expect moving forward and so that's that's a bullet you see there what goals do I have where can people help and and how are these decisions made the way I laid it out was I had the problem first I have my goals and then finally I have my solution here's what's going to huh and then my solution did that really break everything and thank contributors contributing to a codebase is a very selfless act right you know sure you get the benefits of it you probably solve that problem for a reason but they are taking out at the time out of their day

to push those back upstream it's really easy to fix it for yourself and keep it fixed for yourself and let everyone else be struggling with those bugs so this can come in a whole bunch of different forms and this is one of the things always get excited about is that can be as simple as in the changelog say like you see here on the bottom thank you for what you do I know that there's a lot of contributors out there it's much appreciated you can also in github specifically you can add them as a contributor to the project with they can't push any code without approval but it gives them a badge next to their name that just says

contributor it's a super small thing but it's kind of a source of pride if they're answering issues and they see contributor next to their name it makes them feel like a very included part of the project my windows are up so we're good and then lastly a simple thank you is is always useful right now you want to manage your support channels it's really easy to be ambitious whenever you're open sourcing something to give you a flashback it was 2012 2014 some somewhere around there I just open-source go fish and I had I offered email support I offered instant message support github issues and I think there was some other form of ticketing software some other

form of you can get information my way this is unmanageable if you're up if you're a single person because people will find the thing that works best for them they'll try to reach out all good intentions across the board but there's just not that much time in the day to be able to respond across all these different channels and to keep up with all these different channels because usually this is going to be side time outside of your normal day job right and maybe a little bit more simply what I want to tell you don't use email as a support channel why would why would that be anyone know

sure right right and it also how many people can see that email just the person who sent it and you right so what you're gonna have is you're gonna have the same issues coming in over and over with people who they and they're gonna go to email because they they they want to reach out to you personally as opposed to broadcasting issues in kind of the public domain right so I got a lot of emails really really quickly and found that I can't tell people where to go to look for the solution that I gave and then a lot of the emails look like this it doesn't work you know can you can you help me

out so if if you're looking at a way to manage this community and a way to manage these issues I'd say it's the more public the better you know the more areas where people can jump in and help the better and that's why now just as a personal preference everything is through github issues it doesn't matter what it is it's all there so that I can point people back and get people referenced where they need to go and don't be afraid to market your project so this is the landing page that I made for Go Fish I know it looks really good and like 800 by 600 resolution but to build this I used a template builder I found like an

online template builder and I plugged in my own text made a couple screenshots and and published it out on github pages which can host static websites for completely free I'm working on as a designer I'm working on a blog post soon about how to market an open-source project for free essentially we're like how you can set up full HTTP domain a website really nice-looking landing page email the whole bit for just the cost of the domain name and you'll it and so just kind of stepping from A to B so I guess you can keep an eye out but don't be afraid to market your project tell people about it go to conferences like this one and let people know that it's

out there because there's so many projects these days it's kind of hard to keep up with them it's kind of hard to keep up with what's coming out and this is something that's uh important to remember and this is something that I kind of have as a personal go-to because at the end of the day it's free software it's really easy to get too attached to your code it's really easy to get too attached to what you're doing and wind up burning yourself out that's that's the sad reality of it not I've seen it happen and I've seen people talk about it where sometimes users that come in maybe they're not so nice maybe they they

almost want to blackmail your guilt to get something fixed I've heard people with their own projects have people come in and say don't you care about your community don't you care about your project this is kind of emotional manipulation right remember at any given point in time it's okay to say no to a request you have that right you have that responsibility if it doesn't allow you to succeed and allow that project to succeed on a similar note it's okay to stop working on a project and it's okay to never start working on a project if you have a script that solves a problem you want to open-source it but you definitely don't want to maintain it you

can put it up on github and in the readme say I will never answer any questions that come in here that at least sets the expectation that sets the the understanding between the people using it and you so that they don't think this person is just not responding to me it's okay to remember that you're a person to remember that you have time you have effort that you're already volunteering so take care of yourself be kind but but make sure that you're watching over the things that you're doing to help you succeed so I always say that because I'm guilty of being too long before I say no so hypocrite over here so let's talk

about next steps so I'm sure all of you right now are just like oh my god give me a keyboard I'm ready to open-source something so I'm going to tell you where you can go to find projects to contribute to and the first is open source guide this is less of a how to find projects and more of a very extended CSS version of this talk that's not security specific it's made github and it's about managing open-source communities in general which will cover a lot of the same topics that I talked about today in a little bit different light so I highly recommend it and then there's github.com slash topics slash security so in github you can set

a topic where a tag for your project and and one of those that's really popular is security and so by going here you can see what are the most popular security projects that I can contribute to what are the most active security projects that I can contribute to and it makes it it gives you a prioritized list of places that you can jump in which is about as good as it gets so so I highly recommend if you're looking for projects to go there or to that awesome hacking repo that I've talked about just a little bit earlier and finally this is kind of a call to action let's all look out for one another right the security

industry is all working together to solve a common set of problems it's easy to get in this these blinders where we think I just need to solve my problems because my problems are special no one else is dealing with what I'm dealing with when that's not the case at all we've seen today just during this conference some incredible talks by incredible speakers that are open sourcing new tools that are open sourcing their knowledge that's a really good place to start you know there are people who have just released something and they need help moving it forward so always be on the lookout for ways to contribute in even small ways we need more maintainer zuv projects we need more contributors

to projects and everyone in here even if you're not a programmer even if you've never open sourced something before you can have a big impact even with with whatever time that you have so with that thank you I appreciate y'all coming out and enjoy the after party are there any questions