2018 YEAR IN REVIEW: Open Source Collaboration
Supporting Open Source
At MindPoint Group we recognize the value that open source software provides and we work to support it in several ways.
First, we support open source software by making our own contributions to the community. Much of the software we write is open, available for use, and published in our GitHub organization. Some of the software we publish, like the Ansible system hardening roles, are directly applicable and usable to many within the cybersecurity community and beyond. Other published software, such as Raziel, is domain specific and not as widely usable but we open it to provide greater transparency into the code we use to build our services.
Second, we support the open source software packages we use in our products and services directly through monetary support and development support. One way we provide monetary support is by subscribing to Tidelift which directly funds the maintainers of packages we use in our projects. We provide development support by encouraging and paying our developers to make code contributions back to the open source projects we use. The following is a list of some of the projects we published or supported this year.
We worked with the community and helped publish several new OS hardening roles and furthered development of existing roles.
- Windows 2008R2 and 2012 STIGs published
Ansible Lockdown was formalized as an official Ansible Community Working Group – https://github.com/ansible/community/tree/master/group-lockdown and we worked to launch several new community collaboration efforts.
- Biweekly working group meetings held on IRC
- Established relationship with Ansible Hardening project (Rackspace) and currently working on merger of efforts
- #ansible-lockdown IRC channel established for community collaboration
- Formed the ansible-lockdown (https://github.com/ansible-lockdown) and ansible-lockdown-sig (https://github.com/ansible-lockdown-sig) GitHub orgs to centralize development of new community hardening roles.
- Launched https://ansiblelockdown.io/
This year was our most active year for commits and external collaborators to the three primary roles MPG supports:
- You can also get more information on these at ansiblelockdown.io
A member of our proactive security services team identified an issue with CloudFront domain misconfigurations through some of our client work. They developed a tool to identify and secure those domains and ended finding out that the problem was much more wide spread than initially thought. We open sourced that tool after coordinating with the AWS CloudFront team so that other researchers and organizations could use it to secure themselves.
Raziel is a lightweight, async/await abstraction library for interfacing with AWS DynamoDB. The library was directly developed for use in one of our products and it is fairly domain specific. However we believe transparency and openness in software is key to building trust.
This is a command line utility built to help technical folks more easily interact with DISA STIG content. As cybersecurity practitioners we work with DISA STIG content frequently and through our work developing Ansible roles for STIG content we have a need to parse through and extract details from STIG content more easily. There are other tools available but none of them are command line friendly.
Django SAML2 Authentication
We are fans of Python and the Django framework and we use both to build some of our internal tools and other software. We also believe identity federation is important and just good security practice. This package provides an easy way to integrate SAML2 authentication with the Django framework.