Who doesn't want to secure software? After all, every day, there's another major security violation bubbles up from the swamp of bad programs. To help deal with this, at the Open Source Leadership Summit, the Linux Foundation announced the Red Team Project.
Red Teams, for those who don't live in the security-world, are a way of testing the effectiveness of a company or group's security program. It does this by emulating how attackers go after your systems in the real world.
The Red Team Project is an incubator for open-source Red Team security tools. These include programs that support cyber range automation, containerized pentesting utilities, binary risk analysis, and standards validation programs.
This project doesn't come out of nowhere. It springs from the Fedora Red Team Special Interest Group. Jason Callaway, now a Google Customer Engineer, started the "Fedora Red Team SIG with some fellow Red Hatters at Def Con 25. We had some exploit mapping tools that we wanted to build, and I was inspired by Mudge and Sarah Zatko's Cyber-ITL project; I wanted to make an open-source implementation of their methodologies."
Cyber-range? These are virtual spaces, which can simulate hacker attacks. That's easy, in theory, to do on the cloud. A cyber range includes vulnerable machine images, vulnerable application configs, attack platforms, exploits, and operators. The range can then be used for security training by deploying hacker scenarios, which represent real world situations your red and blue teams will be facing. Essentially, this will enable you to war-game your security infrastructure.
- Top 3 reasons cybersecurity pros are changing jobs (TechRepublic)
- 7 security tips to stop apps from stealing your data (CNET)
In addition, the open-source Cyber Test Lab (CTL) gives open-source projects a way to analyze their code. Besides helping developers, end-users will be able to use CTL to help prevent poorly-built binaries from going into production.