5 open source security tools too good to ignore

Look to these clever open source tools to keep secrets out of source code, identify malicious files, block malicious processes, and keep endpoints safe

Open source is a wonderful thing. A significant chunk of today’s enterprise IT and personal technology depends on open source software. But even while open source software is widely used in networking, operating systems, and virtualization, enterprise security platforms still tend to be proprietary and vendor-locked. Fortunately, that’s changing.

If you haven’t been looking to open source to help address your security needs, it’s a shame—you’re missing out on a growing number of freely available tools for protecting your networks, hosts, and data. The best part is, many of these tools come from active projects backed by well-known sources you can trust, such as leading security companies and major cloud operators. And many have been tested in the biggest and most challenging environments you can imagine.

Open source has always been a rich source of tools for security professionals—Metasploit, the open source penetration testing framework, is perhaps the best-known—but information security is not restricted to the realm of researchers, investigators, and analysts, and neither are the five open source security tools we survey below. IT administrators and software developers have a key role to play, and with these five tools, they can make a difference.

Commit Watcher: Check code repos for secrets

Secrets don’t belong in open source repositories, but that doesn’t stop absentminded developers from storing them there. We’ve all read the reports of people accidentally exposing private Amazon Web Services keys, hard-coded passwords, or API tokens by uploading them to GitHub or other code repositories.

To combat this, SourceClear came up with Commit Watcher, a free open source tool that looks for potentially hazardous commits in public and private Git repositories. Developers and administrators alike can use Commit Watcher to monitor their own projects for accidental credential disclosures and public projects they use regularly to find out if there are any issues in those projects. For example, when a public project is updated with a commit such as “fixes XSS attack,” then Commit Watcher will notify the developer who works with it to grab a newer version of the dependency.

Commit Watcher periodically polls projects for new commits and looks for matches against any of the keywords and phrases defined in the project’s rules. The rules include regular expressions for filenames, code patterns, comments, and author names. Commit Watcher comes with dozens of preconfigured rules that look for AWS credentials, Salesforce credentials, SSH keys, API tokens, and database dump files.

Jak: Encrypt your secrets in Git

It’s Developer 101 to keep secrets out of your code. Instead, you should keep them in a configuration file, then add the config file to the .gitignore list to prevent it from being committed to the code repository. Keys to connect to items like payment systems, emailers, and virtual machines, which have to be manually placed directly onto application servers, must be managed completely separately from the source code. This presents challenges when those keys need to be shared.

