Security

Authentication

• Authentication Systems
  • KeyCloak
  • Authentik
  • Kanidm: Both Web and Linux PAM
  • Netlify Identity: Netlify’s Authentication…basically a hosted version of their Open-source GoTrue library.
  • GoTrue: Open soruce JWT authentication backend)
  • SuperTokens: Open source authentication solution, similar to Auth0
• Securing Git with SSH and FIDO security keys

Automated Code/Infra Scanning

Toward the top, as automated scanning of code and infrastructure is the first line of defense against security compromise.

• Semgrep: Static Analysis at ludicrous speed.
  • Includes Docker and Kubernetes analysis
• tfsec: Terraform Security Scanner

Infrastructure Scanning

• GovReady Github: An entire Government sponsored site that integrates open source tools into government standards. Policies for CentOS and Ubuntu exist, as well as a lot of other resources.
• OpenSCAP: Open source tool to read and evaluate system security based on SCAP standards
• Lynis: Another security scanner for Linux/Unix systems, focusing around common standards and best practices. Seems far easier to install and configure than OpenSCAP.

General Info

• Free CyberSecurity Services and Tools - CISA
• Configuration Standards
  • Center for Internet Security: Provides configuration guides for common OS and server software.
  • Linux Foundation Workstation Guidelines: Excellent overview for securely configuring a Linux workstation
• Endian: Appliance for security and hotspot management
• HAR Cleaner: Clean HARs. Root cause of the Okta Compromise
• IPFire: Linux based firewall distro
• Mailu: Docker based e-mail system. If I were to deploy a mail system today, this would be the basis. Granted, I feel that there is limited justification for hosting one’s own mail system.
• Office IANA IP Block List - Compiles official IANA list of variosu countries. Interesting enough, using Powershell to compile.
• Odessa: Alternative to Autopsy/Sleuth Kit for Open Source forensics work.
• OPNSense: OpenBSD based firewall. Prefer it architecturally to pfSense
• Snort: Open source intrusion detection system.

Randomness

• League of Entropy and drand: A distributed, crytographically verifiby source of entropy.

Secrets Management

• Github-to-SOPS: Interesting method using SOPS and Github user SSH keys, and AGE to build a light-weight secrets management platform
• Sealed Secrets: My goto for secrets management in k8s with no cloud dependencies.
• External Secrets Operator: My goto for cloud-provided secrets management

SSL/TLS Information

• Let’s Encrypt: Freely available certificates for websites. Requires a client as the certficates are only valid for 90 days, but many clients exist. I currently use EFF Certbot
• Zero SSL: Method to obtain Let’s Encrypt Certificates without installation. *WARNING:- If using their website tools, you are completely trusting this site. Do not do this for any site in which sensitive information will be transmitted! Although honestly, those type of sites should probably purchase an EV certification.
  • Also supports 1 year certificates, and ACME protocol integration. I nice alternative SSL provider if needed
• Step-CA - Automated on-prem solution. Needs additional research - and more inclinded to just leverage SSL Private CA below.

OpenSSl Usage and CA

See OpenSSL Cheatsheet

Reading

• Lessons From Reviewing Postmortems
• The Problem with PGP