Open source is making things easier for security professionals. But choosing software to check vulnerabilities still seems difficult for many developers. Jagmeet Singh of OSFY spoke to Fedora fellow, Joerg Simon, who created Fedora Security Spin, to discuss the evolution of community-backed solutions in the world of penetration testing and security assessment. Edited excerpts…
Q What was the idea behind creating the Fedora Security Lab?
The original idea behind developing Fedora Security Lab (FSL) was to provide the same security tools and security related software that we maintain in Fedora as a ready-to-go, official Fedora security related release. Besides the official spin, we created a package group for the Fedora repositories to have it bundled with the Fedora installations and to provide the group install feature.
It was just a technical showcase of Fedora security features and tools, in the beginning. But today, the same group is involved in a small sub-project of its own.
Initially, I wanted to have FSL for teaching students and giving talks on security along with my favourite Security Test Platform. But something was missing — the targets to test.
You cannot just test in the wild, without penalties. Help came from my co-maintainer, Fabian Affolter. He created the ‘Fedora Security Lab Test Bench’ that provides the counterpart to the original FSL, and lets you use it in a classroom environment on targets with built-in limitations.
It was very clear from the beginning that FSL, as a platform for professional security testers, can only be a starting point. To fill this gap without violating any Fedora guidelines, we also provide playbooks to simplify the installation process of tools with a very fast development cycle, and to add more features.
Q Vulnerabilities in software often grab the headlines. How can open source software help design an effective security solution?
The paradigm of security solutions is conservative in itself. Security solutions, as we know them today, often fail because they focus on threads derived from risks, which are dynamic. Instead, they should focus on the assets first.
Commercial security solutions providers also have the burden of convincing you that you have a particular problem and that you need the solution in the first place. Later, they need to sell you the same product all over again, the next season.
Technically, every so-called security solution is just a ragbag of software, which puts up some security controls —whether you need them or not is a different question.
Because you can always access, review and change the code, the benefits of using open source are obvious and proven. Especially, backdoors and design flaws, like in encryption, can be detected much more easily and will often be fixed in a very short time.
Q Do you think it is open source that makes not just Fedora Security Lab but several other penetration testing solutions successful in the current market?
Free and unlimited access, of course, is one prime reason to make penetration testing solutions successful in the market, whereas community-driven documentation and to-dos are the other reason.
I also think that most open source tools exist because the creator just needed these to get real work done without focusing on profit. With the UNIX philosophy in mind, which is, “Write programs that do one thing and do it well,” we have an extensive collection of tools that do exactly that. Bundling the good tools to work well together and out-of-the-box makes the solution a success.
Q You have built an active community around various developments related to open source solutions. Why is there a need for a community to maintain a platform like Fedora Security Lab?
Having a real world use-case is imperative. If you do not have a community of users, you will not be able to develop a community of contributors. For instance, students often choose to write an open source tool for their project work at their university, but these tools are not maintained afterwards because a community is missing.
I am quite certain that without people like Fabian Affolter and many contributors from the Fedora Infrastructure Team, who really care and are working on it busily all the time, the FSL project would not last long.
Q How do you handle community engagements to enhance the features of Fedora Security Lab?
Having a contributor-friendly ecosystem keeps the project running. A lot of contribution for FSL comes from the community of the Fedora Project itself. You will find all the new features that come with the operating system in FSL as well.
We host our related content for FSL on the fedorahost.org website. Its technical showcase is built by the Fedora build servers, while the Fedora design, marketing, website and ambassador group help to spread the word.
People who want to contribute to FSL directly can do that by joining the Fedora Project in the Fedora Account System. They can then contribute content directly to our FSL group — to the documentation team, as a package maintainer or to another group within Fedora. In any case, we are approachable for mentoring.
Q What are your plans for expanding Fedora’s presence in India?
Making FSL a part of the Fedora Project is my plan to expand the entire platform. The nice side-effect is that I can teach about what I know well, which is information security. And I can teach it along with my favourite platform, FSL, and my favourite methodology the Open Source Security Testing Methodology Manual (OSSTMM).
As and when time and budgets allow me, I often travel through my beloved India, giving talks and teaching at universities and conferences regarding FSL. I consider myself a part of the Indian null security community and the Fedora community.
I have travelled to India at least once a year since 2009 to spread the word. I teach for free — if there are charges or certification fees, they go directly to the communities, and enable more research and development.
Q What is the prime target audience for Fedora Security Lab? Also, where does India feature in your audience?
I think FSL is the perfect platform for teaching security testing. This recommendation clearly goes for teachers, students and various security testers who want to use Fedora as their base OS for testing.
If I give a piece of training in Germany, it can happen that I have 30 professors in the training round but not a single student. However, this is not the case in India.
In India, during a talk, it can easily be 200 students, professionals and more. So India is my No. 1 audience.
Q As you have been a mentor for Fedora Project contributors, have you seen some Indians making major contributions towards the open source venture?
The interesting thing with mentoring is that you are a mentor and being mentored at the same time. I could attach a long list of people who I consider valuable for the open source movement. I am sure I would miss someone important. So I only want to mention Atul Chitnis — who passed away much too soon — as one who built and shaped the open source ecosystem on Indian soil significantly.
Q Do you think state governments need to target security to avoid instances of Heartbleed, Shellshock and POODLE, in the future?
I think having a clear cyber-resilience strategy is an imperative role for every government, not only to protect critical infrastructure but also to protect the privacy of its citizens. My concern is that politicians are not fit to make a decent decision in this field. And because politicians are not experts, they hire consultants who are more focused on prolonging the problems to make more money. The Open Source Movement is the proper answer.
Open standards like the OSSTMM are made without the conflict of interest which we see with organisations like ISO, AXELOS, ISACA or the (ISC)². The latter focus more on the money-making side of standards and certifications, instead of working together to make things right.
Q How is Fedora Security Lab different from other similar pentest distros such as Kali Linux and Back Box?
I have not really looked into the other distros so I might be wrong in my answer, but the difference could be that we are an RPM-based distro. We also focus on testing methodologies, and on teaching along with a test-bench that provides vulnerable services and applications for testing purposes.
We have a fast pace with the Fedora project release cycle of six months, which might also be a difference. I see the FSL more as a starting point to build your own RPM-based security testing platform than a simple pentest distro.
Q Apart from offering Fedora Security Lab, you also teach Fedora Security and the Open Source Security Testing Methodology Manual (OSSTMM). How easy is it to educate people about concepts like penetration testing and security assessment?
The OSSTMM breaks with a lot of conventional security thinking. It is a scientific approach and, for several people, it is not easy to accept a new truth, at first. As soon as the practicability of the OSSTMM is demonstrated and you start using it in your daily work, you see the proper test results and you understand how it helps to become a much better security tester or security analyst.
In my opinion, it is easy to teach in regions like India because people are hungry for knowledge. But teaching security practices is also challenging, because people will not accept methodologies that do not work for them.
Q Considering the present job scenario in the IT industry, what is your opinion about security testing as a career?
It is awesome to have a career in security testing, but before you learn how to destroy or manipulate something, you should learn how to build and maintain it first. It is much harder to maintain a secure infrastructure than to find a flaw in this infrastructure. So the admins who are able to maintain a secure environment are the real super heroes.
Q Why should enterprises nowadays focus more on security rather than on expanding their existing operations?
The operational business will always come first, but operational security is the vital part of keeping it running.
Unfortunately, in my experience, what enterprises invest in security analysis is often not even one per cent of their revenue. Instead, entrepreneurs invest in more security solutions: “Yeah, just let us buy another firewall or IDS.” Enterprises that focus more on cyber security than on other security channels are making a mistake.
With the exploding number of breach of trusts that we have from different security channels, a security strategy needs to consider all these new vectors and figure out how to measure them and make the process transparent. Even today, I believe the easiest and most successful way to breach security is through the human channel (social engineering).
Another mistake is to rely on compliance and standards too much. While compliance assures average quality and security standards, which is good, it can also be a threat that can disable the operational business from one day to another. Being compliant does not mean you are secure, and being secure does not necessarily mean that you are complying with the required regulations or standards either.
Q Lastly, how has the field of penetration testing and security assessment evolved in the recent past?
I think the security communities have become more professional, which is good and bad at the same time. You end up with conflicting pressures of having fun, being a proper tester or making money.
What concerns me a bit is the trend of external bug bounty programmes run by big vendors that are very popular in India. Some might see this as an evolution. In my opinion, bug bounties are a bad way to deal with security and with people. It focuses on the limitations, and you get paid only if you find a bug. And corporates even save money by outsourcing these programmes — partnering with bug bounty brokers or coordinators.
I want to cite my mentor Pete Herzog here: “In street economics, it is just called pimping.” This means proper and complete testing is considered not worth paying for anymore. I am convinced that if this trend becomes increasingly successful, and if more and more follow this model, the payments will break down, and the quality of limitations found will get worse. That, of course, is bad for security.