Security and Privacy References

Besides FOSS software tools many other type of tools exist within the field of security and privacy.E.g. Knowledge tools, design templates, risk sheets or collections of specific security guides that helps you when creating your solution.

When creating this reference architecture, we performed serious research. We used many valuable sources (books, articles, scientific publications, blogs, etc). In this section you find real reusable tools. All tools are focused on helping to solve your security and/or privacy challenge easier. So you find many reusable real open (cc-by) tools for so you can create your solution without reinventing the wheel again.

We believe that all knowledge for building better security and privacy solutions should be available under an open access license. This is why all references in this section are open access references or available for free under an open liberal license.

FOSS Security Software Repositories

The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace. OSS invites cooperative development of technology, encouraging broad use and adoption.

The collection of NSA repositories is large and some are too good to be neglected. To name a few:

  • Apache Accumulo: A sorted, distributed key/value store that provides robust, scalable data storage and retrieval. It adds cell-based access control and a server-side programming mechanism that can modify key/value pairs at various points in the data management process.

  • CASA: Identifies unexpected and prohibited Certificate Authority certificates on Windows systems.

  • DCP: A program that reduces the timespan needed for making a forensic copy of hard drives for forensic analysis.

  • JAVA PATHFINDER MANGO (JPF-MANGO): A static code analysis tool that uses formal methods for analysis. It is part of NASA Ames Java PathFinder project which is a system used to verify executable Java byte code.

  • LEMONGRAPH/LEMONGRENADE:Log-based transactional graph database engine backed by a single file. The primary use case is to support streaming seed set expansion, iterative correlation, and recursive file processing.

  • Apache NIFI: Automates the flow of data between systems. NiFi implements concepts of Flow-Based Programming and solves common data flow problems faced by enterprises.

  • OPENATTESTATION:Verifies system integrity by establishing a baseline measurement of a system’s Trusted Platform Module (TPM) and monitors for changes in that measurement. Originally based on NSA’s Host Integrity at Startup (HIS) software.

  • SYSTEM INTEGRITY MANAGEMENT PLATFORM (SIMP):Automates system configuration and compliance of Linux operating systems so they conform to industry best practices.

For all NSA repositories see:

General information on information security

High-level overview of information security principles:

Software Security Knowledge Area: Document of the CyBOK project( to harvest security knowledge.

Cryptography KA issue 1.0, 2018: Also of the CyBok project.


A modern practical book about cryptography for developers with code examples. Practical Cryptography for Developers:

Thread Models

The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications.

Security Frameworks

NIST Framework for Improving Critical Infrastructure Cybersecurity:

Jericho security model, Open Group,


OECD privacy framework 2009, 2010,

Software Assurance Maturity Model (OWASP),

Open Security Architecture (OSA),

Mozilla Information Security Guides, Technical guidelines, principles and general information as used by the infosec team of Mozilla.

Privacy References Architectures and Models

Privacy represents a broad variety of concerns — subjective, contextual, hard-to-define — that real people have about the flows of personal information. This initiative is building a living, community space where everyone can contribute their privacy design patterns.

IMMA Privacy reference architecture, publication of the Dutch Ministry of Infrastructure and the Environment,March 2016,

Privacy Management Reference Model and Methodology (PMRM) Version 1.0, Committee Specification Draft 01, 26 March 2012,

Privacy Management Reference Model and Methodology (PMRM) Version 1.0,

AICPA/CICA Privacy Maturity Model March 2011,

Generally Accepted Privacy Principles (GAPP),

UN Handbook onPrivacy-PreservingComputation Techniques, This document describes motivations for privacy-preserving approaches for the statisticalanalysis of sensitive data, presents examples of use cases where such methods may apply and describes relevant technical capabilities to assure privacy preservation while still allowing analysis of sensitive data.

Open Access Privacy Journals

Proceedings on Privacy Enhancing Technologies

PoPETs is the journal that publishes papers accepted to the Privacy Enhancing Technologies Symposium (PETS). PETS brings together privacy and anonymity experts from around the world to discuss recent advances and new perspectives. PETS addresses the design and realization of privacy services for the Internet and other data systems and communication networks.

Transactions on Data Privacy

The aim of the Transactions on Data Privacy (TDP) is to provide an international forum for researchers on all topics related to data privacy technologies.

Guide to data protection

This guide is for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each principle, gives practical examples and answers frequently asked questions.

Open Foundations on security & Privacy

Python Forensics, Inc.

A non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language. See: for more information.


The OpenSCAP project provides tools to improve security of your infrastructure using open source tools. This project is founded by RedHat and the tools are NIST certified. Use of the tools is encouraged if your systems or infrastructure needs to meet NIST (or other US) security standards.

Center for Internet Security (CIS)

The Center for Internet Security (CIS) is a 501(c)(3) organization is dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. CIS’s Mission is to: Identify, develop, validate, promote, and sustain best practices in cybersecurity; Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and Build and lead communities to enable an environment of trust in cyberspace.


The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Open State Foundation

A Dutch foundation fighting for more digital transparency in the Netherlands.

Security in-a-box

Security in-a-Box is a guide to digital security for activists and human rights defenders throughout the world. Security in-a-box offers a guide and real nice tools for everyone who cares about privacy in a volatile world. See is a socially motivated website that provides information for protecting your data security and privacy. The site has an impressive tool collection Yes, we can not incorporate all tools in this reference architecture. Our list is opinionated to surprise you only with some great examples to make you hungry!

Focuses on the Security Officers and on helping them in doing their daily business as comfortable as possible. The main goals of are to develop and maintain: - Guides and Handbooks explaining and describing Risk Management. - an open and free ‘best practice’ Risk Model Repository with security objectives, threats and other risk related meta-data.

Data Transparency Lab (DTL)

A community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. Also a collection of OSS tools to visualize internet privacy horror are offered.

P=P Foundation = Privacy by Default

The P=P foundation advocates Privacy. The p≡p engine was developed for this purpose and drives several crypto standards on different digital channels. It shall ultimately restore Privacy by Default. p≡p engine is distributed as Free Software to support Privacy for everyone. With that p≡p aims to restore the balance again in worldwide communications in favor of Privacy and Freedom of Information.

The Public Voice

The Public Voice coalition was established in 1996 by the Electronic Privacy Information Center (EPIC) to promote public participation in decisions concerning the future of the Internet. The Public Voice has pursued issues ranging from privacy and freedom of expression to consumer protection and Internet governance. Check:


The ICO is the UK’s independent body set up to uphold information rights. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


The list with security and privacy checklists is long. However in this opinionated list we collected OPEN lists (so under an open license published) that are ready to use and to improve. OSS Security Badges project (Work in progress), D. Wheeler,

Linux workstation security checklist:

Guide to securing personal information (Australian government):

Securing Web Application Technologies [SWAT] Checklist:

Kubernetes Security- Best Practice Guide,

REST API Checklist: Summary of important security countermeasures when designing, testing, and releasing your API,

Vulnerability Databases

CWE (Common Weakness Enumeration - CWE™) is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Available on:

Learning from attacks

Key Reinstallation Attacks- Breaking WPA2 by forcing nonce reuse (KRACK). With hands-on description, check it out:

Open Source Initiative (OSI)

To learn more about the Open source licenses and the foundation behind this initiative: The Open Source Initiative (OSI),

Libre Router project

The Libre Router project is creating a high performance multi-radio wireless router targeted at Community Networks needs. So if you are keen on privacy, check

Information Security Guide

Guide setup like this one, so to prevent to reinvent the wheel every time you start a new project, policy, or security function.

The Free Software Foundation,

Web Authorization Protocol (OAuth),

Web security

Web Security technologies change continuously. A perfect solution does not exist. So make sure good practices are combined with good principles and non technical measurements for minimizing risks.

Mozilla Web Security Guide,