Security and Privacy References¶
Besides FOSS software tools many other type of tools exist within the field of security and privacy.E.g. Knowledge tools, design templates, risk sheets or collections of specific security guides that helps you when creating your solution.
When creating this reference architecture, we performed serious research. We used many valuable sources (books, articles, scientific publications, blogs, etc). In this section you find real reusable tools. All tools are focused on helping to solve your security and/or privacy challenge easier. So you find many reusable real open (cc-by) tools for so you can create your solution without reinventing the wheel again.
We believe that all knowledge for building better security and privacy solutions should be available under an open access license. This is why all references in this section are open access references or available for free under an open liberal license.
FOSS Security Software Repositories¶
The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace. OSS invites cooperative development of technology, encouraging broad use and adoption.
The collection of NSA repositories is large and some are too good to be neglected. To name a few:
Apache Accumulo: A sorted, distributed key/value store that provides robust, scalable data storage and retrieval. It adds cell-based access control and a server-side programming mechanism that can modify key/value pairs at various points in the data management process.
CASA: Identifies unexpected and prohibited Certificate Authority certificates on Windows systems.
DCP: A program that reduces the timespan needed for making a forensic copy of hard drives for forensic analysis.
JAVA PATHFINDER MANGO (JPF-MANGO): A static code analysis tool that uses formal methods for analysis. It is part of NASA Ames Java PathFinder project which is a system used to verify executable Java byte code.
LEMONGRAPH/LEMONGRENADE:Log-based transactional graph database engine backed by a single file. The primary use case is to support streaming seed set expansion, iterative correlation, and recursive file processing.
Apache NIFI: Automates the flow of data between systems. NiFi implements concepts of Flow-Based Programming and solves common data flow problems faced by enterprises.
OPENATTESTATION:Verifies system integrity by establishing a baseline measurement of a system’s Trusted Platform Module (TPM) and monitors for changes in that measurement. Originally based on NSA’s Host Integrity at Startup (HIS) software.
SYSTEM INTEGRITY MANAGEMENT PLATFORM (SIMP):Automates system configuration and compliance of Linux operating systems so they conform to industry best practices.
For all NSA repositories see: https://nationalsecurityagency.github.io/
General information on information security¶
High-level overview of information security principles: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
Software Security Knowledge Area: https://www.cybok.org/news/software-security-ka-issue-10 Document of the CyBOK project(https://www.cybok.org) to harvest security knowledge.
Cryptography KA issue 1.0, 2018:https://www.cybok.org/news/cryptography-ka-issue-10 Also of the CyBok project.
A modern practical book about cryptography for developers with code examples. Practical Cryptography for Developers: https://cryptobook.nakov.com/
The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications. https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
NIST Framework for Improving Critical Infrastructure Cybersecurity:
Jericho security model, Open Group, https://collaboration.opengroup.org/jericho/
OECD privacy framework 2009, 2010,http://oecdprivacy.org/
Software Assurance Maturity Model (OWASP), http://www.opensamm.org/
Open Security Architecture (OSA), http://www.opensecurityarchitecture.org/
Mozilla Information Security Guides, https://infosec.mozilla.org/ Technical guidelines, principles and general information as used by the infosec team of Mozilla.
Privacy References Architectures and Models¶
Privacy represents a broad variety of concerns — subjective, contextual, hard-to-define — that real people have about the flows of personal information. This initiative is building a living, community space where everyone can contribute their privacy design patterns. https://privacypatterns.org
IMMA Privacy reference architecture, publication of the Dutch Ministry of Infrastructure and the Environment,March 2016, http://www.beterbenutten.nl/assets/upload/files/IMMA/IMMA-Privacy-reference-architecture-EN-2016.pdf
Privacy Management Reference Model and Methodology (PMRM) Version 1.0, Committee Specification Draft 01, 26 March 2012, http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.pdf
Privacy Management Reference Model and Methodology (PMRM) Version 1.0, http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.html
AICPA/CICA Privacy Maturity Model March 2011, http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/DownloadableDocuments/AICPA-CICA-Privacy-Maturity-Model-ebook.pdf
Generally Accepted Privacy Principles (GAPP),https://www.cippguide.org/2010/07/01/generally-accepted-privacy-principles-gapp/
UN Handbook onPrivacy-PreservingComputation Techniques, http://publications.officialstatistics.org/handbooks/privacy-preserving-techniques-handbook/UN%20Handbook%20for%20Privacy-Preserving%20Techniques.pdf This document describes motivations for privacy-preserving approaches for the statisticalanalysis of sensitive data, presents examples of use cases where such methods may apply and describes relevant technical capabilities to assure privacy preservation while still allowing analysis of sensitive data.
Open Access Privacy Journals¶
Proceedings on Privacy Enhancing Technologies http://www.degruyter.com/view/j/popets
PoPETs is the journal that publishes papers accepted to the Privacy Enhancing Technologies Symposium (PETS). PETS brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks.
Transactions on Data Privacy¶
The aim of the Transactions on Data Privacy (TDP) is to provide an international forum for researchers on all topics related to data privacy technologies. http://www.tdp.cat/
Guide to data protection¶
This guide is for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each principle, gives practical examples and answers frequently asked questions. https://ico.org.uk/for-organisations/guide-to-data-protection/
Open Foundations on security & Privacy¶
Python Forensics, Inc.¶
A non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language. See: http://python-forensics.org/ for more information.
The OpenSCAP project provides tools to improve security of your infrastructure using open source tools. This project is founded by RedHat and the tools are NIST certified. Use of the tools is encouraged if your systems or infrastructure needs to meet NIST (or other US) security standards. https://www.open-scap.org/
Center for Internet Security (CIS)¶
The Center for Internet Security (CIS) is a 501(c)(3) organization is dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. CIS’s Mission is to: Identify, develop, validate, promote, and sustain best practices in cybersecurity; Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and Build and lead communities to enable an environment of trust in cyberspace. https://www.cisecurity.org/
The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. https://www.nomoreransom.org/
Open State Foundation¶
A Dutch foundation fighting for more digital transparency in the Netherlands. http://www.openstate.eu/
Security in-a-Box is a guide to digital security for activists and human rights defenders throughout the world. Security in-a-box offers a guide and real nice tools for everyone who cares about privacy in a volatile world. See https://securityinabox.org/en
Privacytools.io is a socially motivated website that provides information for protecting your data security and privacy. The site has an impressive tool collection https://www.privacytools.io/ Yes, we can not incorporate all tools in this reference architecture. Our list is opinionated to surprise you only with some great examples to make you hungry!
Focuses on the Security Officers and on helping them in doing their daily business as comfortable as possible. The main goals of SOMAP.org are to develop and maintain: - Guides and Handbooks explaining and describing Risk Management. - an open and free ‘best practice’ Risk Model Repository with security objectives, threats and other risk related meta-data. https://www.somap.org/
Data Transparency Lab (DTL)¶
A community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. Also a collection of OSS tools to visualize internet privacy horror are offered. http://www.datatransparencylab.org
P=P Foundation = Privacy by Default¶
The P=P foundation advocates Privacy. The p≡p engine was developed for this purpose and drives several crypto standards on different digital channels. It shall ultimately restore Privacy by Default. p≡p engine is distributed as Free Software to support Privacy for everyone. With that p≡p aims to restore the balance again in worldwide communications in favor of Privacy and Freedom of Information. https://pep.foundation/index.html
The Public Voice¶
The Public Voice coalition was established in 1996 by the Electronic Privacy Information Center (EPIC) to promote public participation in decisions concerning the future of the Internet. The Public Voice has pursued issues ranging from privacy and freedom of expression to consumer protection and Internet governance. Check: https://thepublicvoice.org/
The list with security and privacy checklists is long. However in this opinionated list we collected OPEN lists (so under an open license published) that are ready to use and to improve. OSS Security Badges project (Work in progress), D. Wheeler, https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/criteria.md
Linux workstation security checklist: https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
Guide to securing personal information (Australian government): https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
Securing Web Application Technologies [SWAT] Checklist: https://software-security.sans.org/resources/swat
Kubernetes Security- Best Practice Guide, https://github.com/freach/kubernetes-security-best-practice
REST API Checklist: Summary of important security countermeasures when designing, testing, and releasing your API, https://github.com/shieldfy/API-Security-Checklist
CWE (Common Weakness Enumeration - CWE™) is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Available on: http://cwe.mitre.org/
Learning from attacks¶
Key Reinstallation Attacks- Breaking WPA2 by forcing nonce reuse (KRACK). With hands-on description, check it out: https://www.krackattacks.com/
Open Source Initiative (OSI)¶
To learn more about the Open source licenses and the foundation behind this initiative: The Open Source Initiative (OSI), http://opensource.org/licenses/
Libre Router project¶
The Libre Router project is creating a high performance multi-radio wireless router targeted at Community Networks needs. So if you are keen on privacy, check https://librerouter.org/home
Information Security Guide¶
Guide setup like this one, so to prevent to reinvent the wheel every time you start a new project, policy, or security function. https://spaces.internet2.edu/display/2014infosecurityguide/Welcome+to+the+Guide
The Free Software Foundation, https://www.gnu.org
Web Authorization Protocol (OAuth), https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01
Web Security technologies change continuously. A perfect solution does not exist. So make sure good practices are combined with good principles and non technical measurements for minimizing risks.
Mozilla Web Security Guide, https://developer.mozilla.org/en-US/docs/Web/Security