Bossie Awards 2016: The best open source networking and security software

The major theme of our winners in the Networking and Security category this year is unabashedly security. As organizations become more distributed and users increasingly mobile, it seems that only VPNs and SSH connections stand between us and Armageddon. Our Bossies celebrate the innovative tools that are encrypting the web, fighting intruders, eradicating malware, and plugging the holes in our networks and applications.

[ InfoWorld unveils the Bossies: The best open source products of the year. | The best open source applications. | The best open source datacenter and cloud software. | The best open source application development tools. | The best open source big data tools. | Stay up on open source with the InfoWorld Linux report. ]

A datacenter penetration testing tool, Infection Monkey spins up infected virtual machines in random parts of the network. Inspired by Netflix’s Chaos Monkey, Infection Monkey looks for potential blind spots in the overall network security chain by testing for weaknesses in security controls. It scans the network for open ports and fingerprints machines using multiple network protocols. It even attempts to attack machines using methods such as intelligent password guessing and safe exploits. Successful lateral movement indicates a failure in security defenses that needs addressing.

-- Fahmida Y. Rashid

The Electronic Frontier Foundation is working toward a world where all web traffic is encrypted by default. First came HTTPS Everywhere, a browser extension that ensures the use of secure connections. Now the EFF aids website administrators with its free Let’s Encrypt CA (certificate authority). To automate the process, the EFF released Certbot, a client that communicates with Let’s Encrypt to get TLS/SSL certificates and configures the web server to use HTTPS. Like many other cert clients, Certbot communicates over the Automated Certificate Management Environment (ACME) protocol, which means it can work with other CAs so long as they support ACME.

-- Fahmida Y. Rashid

Sponsored by the Open Networking Foundation, Delta is designed to help penetration testers probe software-defined networks for any security issues. The project includes a testing framework to validate security features of OpenFlow-based switch and controller implementations, along with a specialized fuzzing module to find unknown security flaws.

-- Fahmida Y. Rashid

Domain Controller Enticing Password Tripwire (DCEPT) is a honeytoken-based tripwire for Microsoft's Active Directory from Dell SecureWorks. Honeytokens are pieces of information intentionally littered on a system so that they can be discovered by an intruder. In the case of DCEPT, the honeytokens are bogus domain administrator login credentials. A login attempt using these tokens would mean that a malicious actor had penetrated the network and was attempting a privilege-escalation attack.

DCEPT has three parts: a server component that generates honeytokens, an agent that caches the honeytokens in memory, and a monitor that passively listens for login attempts that match a honeytoken. When DCEPT sniffs a bogus login, it sends an alert revealing the name of the compromised computer and the time of the login attempt.

-- Fahmida Y. Rashid

Generally speaking, software improves over time. Users are wise to run the latest versions, and developers are wise to code to the latest libraries. VersionEye checks the libraries in your development projects against the contents of package managers for Java, Node.js, Python, PHP, Ruby, and other languages, alerting you when your libraries are no longer up to date.

VersionEye also does license checking and provides information about security vulnerabilities in commonly used libraries. VersionEye integrates with GitHub, Bitbucket, and Stash to scan project files and identify outdated dependencies. When users log into VersionEye with their repository account, the software detects corresponding dependencies and notifies them when new versions become available. Users can also define which license types they are using as part of license whitelisting.

-- Fahmida Y. Rashid

Pwnie Express provides penetration testers with a rich collection of open source tools for network and mobile testing, in a variety of hardware form factors. The humble Pwn Plug has evolved over the years into the sleek Pwn Pad 4 tablet and the Pwn Pro networking device. Pwnie Express also maintains the Android Open Pwn Project (AOPP), an Android ROM built for penetration testers. Based on the Android Open Source Project and community-developed ROMs like CyanogenMOD, AOPP gives developers the tools and components necessary to create their own mobile penetration testing platforms.

-- Fahmida Y. Rashid

A modular framework for conducting security assessments of iOS applications, Needle does for iOS what Drozer does for Android. Assessments typically require using multiple tools, which can be time-consuming and difficult to track. Needle can be used by security professionals testing iOS apps, as well as by developers securing their code. Currently, Needle performs both dynamic analysis and static code analysis of iOS apps, along with hooking tests and tests of data storage, interprocess communications, network communications, and binary protections. New modules can be added to Needle as Python scripts. Note that Needle must run on a jailbroken device.

-- Fahmida Y. Rashid

I remember the first time I saw Telnet running on a smartphone, back in the early 2000s. Connecting to a server or network device while on the go both appealed to my inner nerd and provided sweet release from my desk, allowing me to connect to anything anywhere as long as my phone had a signal.

ConnectBot offers that same freedom we once only dreamed about -- although connecting via SSH on the go to check in on a server feels more like work than novelty these days. SSH isn’t necessarily sexy, and frankly neither is this app, but it does provide an end-to-end encrypted tunnel (using SSH-2, with a default RSA key size of 2,048 bits) to your enterprise systems, shielding the communications against interception and validating the host when connecting to gain a remote shell login.

ConnectBot allows for port forwarding, good terminal emulation, and copying data from the terminal to the clipboard of your mobile device. While it may lack a few niceties, such as landscape mode and SCP (Secure Copy), it is completely solid for day-to-day management and monitoring of devices whenever you’re away from your desk.

--Victor R. Garza

You know your friends are security conscious when the first thing they ask when starting a new text conversation is, “Are you running Signal?” If you want to make sure your text and video calls are secured with end-to-end encryption, then you’d best be running Signal on your iPhone or Android smartphone.

After putting in your phone number (which is how Signal identifies you), Signal combs through your contacts to find out who else is running Signal. You have the option to run Signal as your primary SMS application, letting Signal handle both encrypted and unencrypted texts, or you can have Signal deal only with encrypted text messages.

Signal’s encryption technology is used in all sorts of places to secure conversations including WhatsApp and Facebook’s new Messenger Secret Conversation. Supporting both secure chat and voice calls (which are encrypted using technology originally developed by Phil Zimmerman), Signal can support one-to-one and group chats and one-to-one voice calls. Pictures and video are supported when using chat with one other person.

Signal is designed to work in low-bandwidth environments, so you can count on the message being instantly delivered. Leveraging Wi-Fi, your encrypted voice calls can save precious phone plan minutes while staying secure and private. There are problems working with tablets at the moment, so stick with a phone for conversations that are only a whisper away. A Chrome App is currently in development.

-- Victor R. Garza

After a cybercompromise, mitigation and containment are the first orders of business. Finding out how the bad guys got in (and ensuring they don’t get in again) is next. Google’s GRR Rapid Response pairs a central server with client-side agents to form an enterprise scalable incident response tool that can help you discover and mitigate system compromise anywhere on your network.

GRR clients for Windows, MacOS, and Linux enable live remote memory access and analysis using the Rekall framework. GRR also has extensive search and hunting capabilities, allowing you to sift through clients across the network, discover processes and files, compare files and Windows registry entries, and capture hashes or download files from the client. You can execute collections of tasks across a large number of machines, automate iterative and repeating tasks, schedule future tasks, and draw on an IPython console for scripting analysis.

All of this is presented through an AngularJS Web UI, though the GRR server also leverages SleuthKit and its collection of command-line tools for OS-level and raw file system inspection.

GRR works very well on low-bandwidth links, making it an excellent choice for distributed organizations and global deployments. A secure communications infrastructure (messages are signed and encrypted) ensures that sensitive information stays within your organization.

-- Victor R. Garza

The Sleuth Kit (TSK) is a fairly comprehensive collection of tools for analyzing and recovering files from disk images, useful for postmortem computer forensics in a corporate investigation of unauthorized use, an issue of workplace harassment, or a criminal investigation by law enforcement. TSK is the tool to use to dig deep into the disk.

When it comes to forensics at the file system level, TSK combines a number of command-line utilities (including fls to display file names within a file system, fsstat to show file system statistical data, and ils to list metadata entries, among others) with support for common file systems (including NTFS, FAT, ExFAT, UFS, EXT, and HFS), allowing you to examine Windows, many Linux, and most Mac OS X systems. Need to go deeper? TSK also allows you to drill down to the bits of a hard disk image to see what may be hidden within.

Working hand in glove with TSK is Autopsy, a GUI-based tool for searching disk images. Autopsy, by default, will search for recent user activity, email, pictures, IP addresses, phone numbers, URLs, and other interesting file types and tidbits. You can have Autopsy search for specific keywords and regex strings, or use it to dredge up files that contain audio or video, a plethora of document types, or any number of executable file types.

Between TSK and Autopsy, you can be sure that any disk you examine will reveal its secrets.

-- Victor R. Garza

Security compliance testing is as difficult as it is important. If you need to constantly monitor scores of Linux or Unix systems for vulnerabilities and configuration issues, you should have Lynis in your toolkit. A fast system auditing tool, Lynis runs more than 175 tests right out of the gate, drawing on tests from NIST, NSA, and CIS, OpenSCAP data, and vendor guidelines and recommendations. An enterprise version lets you roll in your own custom checks through plugins.

Lynis is a simple and straightforward security scanner that can be downloaded and run with a couple of commands in a couple of minutes. Lynis also makes it easy to schedule scans for automated compliance testing. The assessments are fast, and the generated report is easy to read, with a detailed layout of system security information organized by hardware and software present. Lynis can expose noncompliant configurations, missing files and services, weak security settings, and accounts without passwords, to name a few of its capabilities.

Lynis runs on almost all flavors of Linux and Unix, including MacOS, AIX, HP-UX, and Solaris. It will even run on Raspberry Pi. Whether for quick checks of your system’s health or regular audits of system configurations against your organization’s baselines, you can’t go wrong with Lynis. It's fast, efficient, and what do you have to lose? Oh, yeah, potentially everything.

-- Victor R. Garza

Cuckoo Sandbox is a fenced-in or sandboxed environment for automated malware analysis. Best used inside virtual machines (VMware Workstation or Oracle's VirtualBox), Cuckoo Sandbox allows you to process high volumes of malware, automating analysis tasks and facilitating the reverse engineering of the code that threatens to compromise your systems and networks. Cuckoo really shines in its capacity to scale up the process of malware analysis.

Cuckoo Sandbox assists in the initial investigation of malware and identifies what the malware does and is capable of, without your having to trudge through the intricacies of tearing apart malware by hand. Also, while Cuckoo is not particularly easy to set up, it can be used by the novice familiar with Linux, virtual machines, and some Python. Cuckoo is helpful for the novice learning about malware analysis, but it's invaluable to the seasoned IT person looking to expedite the malware analysis process and gain access to the malware executable.

Jurriaan Bremer, one of the lead developers for Cuckoo, has also created VMCloak, a tool that automates the process of creating and cloning VMs and applications, like Microsoft Office, that give the malware something to chew on. VMCloak also hides the VM from the malware, so the malware doesn’t know it’s being contained, like a koi in a fishbowl.

-- Victor R. Garza

Vault, like Consul built by HashiCorp, is a tool for secrets management. Whether it’s API tokens, database credentials, or other sensitive data, Vault provides a simple mechanism for encrypting these secrets. While an encryption service is certainly important, Vault gets even more interesting when you look at dynamic secrets. Dynamic secrets are secrets that don’t exist before they are used and are automatically expired, so they're substantially more secure than long-lived, easily shared passwords.

Vault can be configured to generate dynamic secrets for your applications on request, whether to provide access to a PostgreSQL instance or an S3 bucket. When the application requests credentials to a Postgres instance, Vault will create a brand-new user in the database and return those credentials to you. Each dynamic secret Vault creates is leased and expires automatically unless the lease is renewed.

Dynamic secrets paint a much prettier secure access picture than handing out static passwords to all of your applications. If passwords you must, Vault can be configured to persist encrypted static secrets to Consul or to disk. Or you can skip persistence entirely and expose Vault’s encryption APIs, giving your developers battle-hardened encryption as a service so that they don’t have to code it themselves.

-- Jonathan Freeman