Denys Rudyi - Fotolia
Cloud vendors such as AWS, Microsoft and Google offer suites of native security tools. These tools are certainly useful, but they can't be everything to everyone.
As cloud development presses on, it's common for IT teams to find gaps in their ability to securely develop and manage workloads on these platforms. Ultimately, it's the user's responsibility to fill these gaps. This is where open source cloud security tools often come in handy.
Popular open source cloud security tools are often developed at companies that have large IT teams with extensive cloud experience, such as Netflix, Capital One and Lyft. Teams begin these initiatives to address specific needs not covered by existing tools and services, and ultimately open source the software assuming it could benefit other organizations as well.
This isn't a comprehensive list, but it's a good place to start if you want to learn about the most popular open source cloud security tools on GitHub. Many of them work across different cloud environments, while others are specifically designed to work with AWS, which remains the most widely used public cloud. Check out these security tools for visibility, proactive testing and incident response.
Cloud Custodian. Cloud Custodian is a stateless rules engine used to manage AWS, Microsoft Azure and Google Cloud Platform (GCP) environments. It consolidates many of the compliance scripts organizations use into one tool, with unified reporting and metrics. With Cloud Custodian, you can set rules that check the environment against security and compliance standards, as well as cost optimization guidelines.
Cloud Custodian policies, written in YAML, express the type and set of resources to check, as well as what actions to take on these resources. For example, you can set a policy that enables bucket encryption on all Amazon S3 buckets.You can link Cloud Custodian with native cloud services and serverless runtimes to automatically resolve policies.
Cloud Custodian was originally developed and open sourced by software engineer Kapil Thangavelu at Capital One.
Cartography. Cartography creates infrastructure maps. This automated graphing tool visually illustrates how your cloud infrastructure assets are connected. This can improve security visibility across your whole team. Use this tool to generate asset reports, highlight potential attack paths and identify areas for security improvement.
Cartography was developed in Python by engineers at Lyft and runs on a Neo4j database. It supports multiple services on AWS, Google Cloud Platform and G Suite.
Diffy. Diffy is a triage tool for digital forensics and incident response (DFIR). When your environment has been attacked or compromised, it's your DFIR team's job to sweep your resources for anything the attacker left behind. This can be a tedious manual process. Diffy provides a differencing engine, which highlights outliers in instances, VMs and other resource behaviors. Diffy will tell the DFIR team which resources are behaving strangely to help identify where to root out attackers.
Diffy is early in development and mainly serves Linux instances on AWS, but its plugin structure could support multiple clouds. Diffy is written in Python and was created by Netflix's Security Intelligence and Response Team.
Gitleaks. Gitleaks is a static application security testing tool that scans your Git repositories for secrets, API keys and tokens. As IT security has shifted left with DevSecOps, developers need to test code earlier in the development pipeline. Gitleaks can scan private and organization-wide Git repositories for committed and uncommitted secrets and includes JSON and CSV reporting.
Gitleaks is written in Go and maintained by Zachary Rice, a software engineer for GitLab.
Git-secrets. Git-secrets is a development security tool that prevents you from including secrets and other sensitive information in your Git repository. It scans commits and commit messages and rejects any that match one of your preconfigured, prohibited expressions patterns.
Git-secrets is built for use in AWS. It was created by AWS Labs, which continues to maintain the project.
OSSEC. OSSEC is a security platform that combines host-based intrusion detection, log monitoring, and security information and event management. Originally developed for on-premises security, you can also use it on cloud-based VMs.
One of platform's benefits is its versatility. It works in AWS, Azure and GCP environments. It also supports multiple OSes, such as Linux, Windows, Mac OS X and Solaris. OSSEC provides a centralized management server to monitor policies across platforms as well as agent and agentless monitoring.
Some key features of OSSEC include:
- File integrity checking, which alerts you when a file or directory in your system changes.
- Log monitoring, which collects and analyzes all the logs in your system and alerts to any suspicious activity.
- Rootkit detection, which notifies you when your system experiences a rootkit-like modification.
- Active response, which enables OSSEC to take immediate action when specific intrusions are detected.
OSSEC is maintained by the OSSEC Foundation.
PacBot. PacBot, also known as Policy as Code Bot, is a compliance monitoring platform. You implement your compliance policies as code, and PacBot checks your resources and assets against those policies.You can use PacBot to automatically create compliance reports and resolve compliance violations with predefined fixes.
Use the Asset Group feature to organize your resources within the PacBot UI dashboard, based on certain criteria. For example, you can group all your Amazon EC2 instances by state -- such as pending, running or shutting down -- and view them together. You can also limit the scope of a monitoring action to one asset group, for more targeted compliance.
PacBot was created by T-Mobile, which continues to maintain it.It can be used with AWS and Azure.
Pacu. Pacu is a penetration testing toolkit for AWS environments. It provides a red team a series of attack modules that aim to compromise EC2 instances, test S3 bucket configurations, disrupt monitoring capabilities and more. The toolkit currently has 36 plugin modules and includes built-in attack auditing for documentation and test timeline purposes.
Pacu is written in Python and maintained by Rhino Security Labs, a penetration testing provider.
Prowler. Prowler is an AWS command-line tool that assesses your infrastructure against AWS Center for Internet Security benchmarks, as well as GDPR and HIPAA checks. You can check your entire infrastructure or specify an AWS profile or region to review. Prowler can run multiple reviews simultaneously and file reports in standard formats such as CSV, JSON and HTML. It also integrates with AWS Security Hub.
Prowler was created by Toni de la Fuente, an AWS security consultant who still maintains the project.
Security Monkey. Security Monkey is a monitoring tool that watches for policy changes and vulnerable configurations in AWS, GCP and OpenStack environments. In AWS, for example, Security Monkey alerts you when an S3 bucket or security group is added or deleted and keeps track of your AWS Identity and Access Management keys, among many other monitoring tasks.
Security Monkey was developed by Netflix, though its support for the tool is now limited to minor bug fixes. Vendor alternatives are AWS Config and Google Cloud Asset Inventory.