Besides software tools many tools within the field of security and privacy are knowlegde tools. Valuable design templates, risk sheets or collections of models that will help creating your solution.
When creating this reference architecture, we performed serious research. We used many valuable sources (books, articles, scientific publications, blogs, etc). In this section you will find real reusable tools. All tools are focused on helping to solve your security and/or privacy challenge easier. So you will find many reusable real open (cc-by) tools for so you can create your solution without reinventing the wheel again.
We believe that all knowledge for building better security and privacy solutions should be available under an open access license. This is why all references in this section are open access references or available for free under an open liberal license.
Secure Coding Guidelines¶
Securing coding is the practice of developing software that prevents security and privacy risks. Coding defects, bugs and logic flaws are a main cause of many software vulnerabilities. Since prevention is better than less complex than fixing security defects later, every software engineer should use Secure Coding guidelines and practices.
Reproducible builds are a set of software development practices that create an independently-verifiable path from source code to the binary code used by computers. Reproducible Builds project gives rules, guidelines, tools and more to allow verification that no vulnerabilities or backdoors have been introduced during the software compilation process.
Mozilla is an OSS Foundation that produces a Browser and various other online communication tools. Security and privacy is a number one priority for the Mozilla Foundation. Mozilla produces large amount of code in various programming languages. One of the secure coding guidelines that is used internal can be found here: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
Go Language Web Application Secure Coding Practices, https://checkmarx.gitbooks.io/go-scp/ CC-Licensed so you can edit this GitBook yourself. Check the repository on https://github.com/Checkmarx/Go-SCP And of course OWASP Secure Coding Practices are used for this GO specific publication.
OSS Security Software Repositories¶
The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace. OSS invites cooperative development of technology, encouraging broad use and adoption.
The collection of NSA repositories is large and some are too good to be neglected. To name a few:
- Apache Accumulo: A sorted, distributed key/value store that provides robust, scalable data storage and retrieval. It adds cell-based access control and a server-side programming mechanism that can modify key/value pairs at various points in the data management process.
- CASA: Identifies unexpected and prohibited Certificate Authority certificates on Windows systems.
- DCP: A program that reduces the timespan needed for making a forensic copy of hard drives for forensic analysis.
- JAVA PATHFINDER MANGO (JPF-MANGO): A static code analysis tool that uses formal methods for analysis. It is part of NASA Ames Java PathFinder project which is a system used to verify executable Java byte code.
- LEMONGRAPH/LEMONGRENADE:Log-based transactional graph database engine backed by a single file. The primary use case is to support streaming seed set expansion, iterative correlation, and recursive file processing.
- Apache NIFI: Automates the flow of data between systems. NiFi implements concepts of Flow-Based Programming and solves common data flow problems faced by enterprises.
- OPENATTESTATION:Verifies system integrity by establishing a baseline measurement of a system’s Trusted Platform Module (TPM) and monitors for changes in that measurement. Originally based on NSA’s Host Integrity at Startup (HIS) software.
- SYSTEM INTEGRITY MANAGEMENT PLATFORM (SIMP):Automates system configuration and compliance of Linux operating systems so they conform to industry best practices.
For all NSA repositories see: https://nationalsecurityagency.github.io/
General information on information security¶
High-level overview of information security principles: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
Software Security Knowledge Area: https://www.cybok.org/news/software-security-ka-issue-10 Document of the CyBOK project(https://www.cybok.org) to harvest security knowledge.
Cryptography KA issue 1.0, 2018:https://www.cybok.org/news/cryptography-ka-issue-10 Also of the CyBok project.
The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications. https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
NIST Framework for Improving Critical Infrastructure Cybersecurity:
Jericho security model, Open Group, https://collaboration.opengroup.org/jericho/
OECD privacy framework 2009, 2010,http://oecdprivacy.org/
Software Assurance Maturity Model (OWASP), http://www.opensamm.org/
Open Security Architecture (OSA), http://www.opensecurityarchitecture.org/
Mozilla Information Security Guides, https://infosec.mozilla.org/ Technical guidelines, principles and general information as used by the infosec team of Mozilla.
Privacy References Architectures and Models¶
Privacy represents a broad variety of concerns — subjective, contextual, hard-to-define — that real people have about the flows of personal information. This initiative is building a living, community space where everyone can contribute their privacy design patterns. https://privacypatterns.org
IMMA Privacy reference architecture, publication of the Dutch Ministry of Infrastructure and the Environment,March 2016, http://www.beterbenutten.nl/assets/upload/files/IMMA/IMMA-Privacy-reference-architecture-EN-2016.pdf
Privacy Management Reference Model and Methodology (PMRM) Version 1.0, Committee Specification Draft 01, 26 March 2012, http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.pdf
Privacy Management Reference Model and Methodology (PMRM) Version 1.0, http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.html
AICPA/CICA Privacy Maturity Model March 2011, http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/DownloadableDocuments/AICPA-CICA-Privacy-Maturity-Model-ebook.pdf
Generally Accepted Privacy Principles (GAPP),https://www.cippguide.org/2010/07/01/generally-accepted-privacy-principles-gapp/
Open Access Privacy Journals¶
Proceedings on Privacy Enhancing Technologies http://www.degruyter.com/view/j/popets
PoPETs is the journal that publishes papers accepted to the Privacy Enhancing Technologies Symposium (PETS). PETS brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks.
Transactions on Data Privacy¶
The aim of the Transactions on Data Privacy (TDP) is to provide an international forum for researchers on all topics related to data privacy technologies. http://www.tdp.cat/
Guide to data protection¶
This guide is for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each principle, gives practical examples and answers frequently asked questions. https://ico.org.uk/for-organisations/guide-to-data-protection/
Open Foundations on security & Privacy¶
Python Forensics, Inc.¶
A non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language. See: http://python-forensics.org/ for more information.
The OpenSCAP project provides tools to improve security of your infrastructure using open source tools. This project is founded by RedHat and the tools are NIST certified. Use of the tools is encouraged if your systems or infrastructure needs to meet NIST (or other US) security standards. https://www.open-scap.org/
Center for Internet Security (CIS)¶
The Center for Internet Security (CIS) is a 501(c)(3) organization is dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. CIS’s Mission is to: Identify, develop, validate, promote, and sustain best practices in cybersecurity; Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and Build and lead communities to enable an environment of trust in cyberspace. https://www.cisecurity.org/
The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. https://www.nomoreransom.org/
Open State Foundation¶
A Dutch foundation fighting for more digital transparency in the Netherlands. http://www.openstate.eu/
Security in-a-Box is a guide to digital security for activists and human rights defenders throughout the world. Security in-a-box offers a guide and real nice tools for everyone who cares about privacy in a volatile world. See https://securityinabox.org/en
Privacytools.io is a socially motivated website that provides information for protecting your data security and privacy. The site has an impressive tool collection https://www.privacytools.io/ Yes, we can not incorporate all tools in this reference architecture. Our list is opinionated to surprise you only with some great examples to make you hungry!
Focuses on the Security Officers and on helping them in doing their daily business as comfortable as possible. The main goals of SOMAP.org are to develop and maintain: - Guides and Handbooks explaining and describing Risk Management. - an open and free ‘best practice’ Risk Model Repository with security objectives, threats and other risk related meta-data. https://www.somap.org/
Data Transparency Lab (DTL)¶
A community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. Also a collection of OSS tools to visualize internet privacy horror are offered. http://www.datatransparencylab.org
P=P Foundation = Privacy by Default¶
The P=P foundation advocates Privacy. The p≡p engine was developed for this purpose and drives several crypto standards on different digital channels. It shall ultimately restore Privacy by Default. p≡p engine is distributed as Free Software to support Privacy for everyone. With that p≡p aims to restore the balance again in worldwide communications in favor of Privacy and Freedom of Information. https://pep.foundation/index.html
The list with security and privacy checklists is long. However in this opinionated list we collected OPEN lists (so under an open license published) that are ready to use and to improve. OSS Security Badges project (Work in progress), D. Wheeler, https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/criteria.md
Linux workstation security checklist: https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
Guide to securing personal information (Australian government): https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
Securing Web Application Technologies [SWAT] Checklist: https://software-security.sans.org/resources/swat
Kubernetes Security- Best Practice Guide, https://github.com/freach/kubernetes-security-best-practice
REST API Checklist: Summary of important security countermeasures when designing, testing, and releasing your API, https://github.com/shieldfy/API-Security-Checklist
Common Weakness Enumeration (CWE™), cwe.mitre.org
Learning and training resources¶
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. All OSS with the code on Github. Check it out: http://overthewire.org/wargames/
Key Reinstallation Attacks- Breaking WPA2 by forcing nonce reuse (KRACK). With hands-on description, check it out: https://www.krackattacks.com/
Practical Cryptography for Developers: https://cryptobook.nakov.com/
Open Source Initiative (OSI)¶
To learn more about the Open source licenses and the foundation behind this initiative: The Open Source Initiative (OSI), http://opensource.org/licenses/
Libre Router project¶
The Libre Router project is creating a high performance multi-radio wireless router targeted at Community Networks needs. So if you are keen on privacy, check https://librerouter.org/home
Information Security Guide¶
Guide setup like this one, so to prevent to reinvent the wheel every time you start a new project, policy, or security function. https://spaces.internet2.edu/display/2014infosecurityguide/Welcome+to+the+Guide
The Free Software Foundation, https://www.gnu.org
Web Authorization Protocol (OAuth), https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01