Asterisk Security Toolkit

What's in your manbag?

View on GitHub

Welcome.

Some of us break stuff, some of us defend stuff, some of us fix stuff, and some of us build stuff. Throughout all of this, there's much to learn, automate and share. This is the idea behind the Asterisk Security Toolset. Some of the code pushed here will be so small you'll wonder why we bothered? Other examples may be so big you'll likely wonder why we bothered (again)? It doesn't matter, because we love to create! Welcome to our laboratory.

We'll do our best to group the tools on our GitHub into some semblance of organisation, but much of the time it doesn't work like that.

Front of Stack. (Or, things to do before you start building.. and eventually breaking)

First off the rank are our tools that are meant to make the life of an (application) security designer or architect just that little bit easier. To begin with we present:

SAMM Self Assessment

The SAMM Self Assessment web application is a simplified checklist for performing a light-weight OpenSAMM assessment. This OWASP Project has been exceptionally useful in a number of engagements we've had, and has enabled the ability for people to quickly gauge their status, particularly against documented target states, can be tremendously useful.

Status: (Forever) Beta - ssa.asteriskinfosec.com.au. You can see our current list of issues to keep track

Simple Strides

Simple Strides is a jQuery-based threat modelling utility. This one came from the difficulties of trying to run up Microsoft's Threat Modeling tool in a) a non-Windows environment, and b) without access to Visio. We thought to ourselves, why doesn't this thing just run in a browser.

Status: Beta - a little bit further away than the SAMM Self Assessment. You can see our current list of issues here

Back of Stack. (Things for developers .. )

These are libraries, tools, or other scripts that are explicitly used for assisting with developers and adding or improving security within their platforms

Devise Google Authenticator

Since Google released the Authenticator application we really thought there weren't any more valid excuses not to have 2nd factor authentication (2FA) in your apps. If you've built any apps in Rails you've likely come across Devise, one of the more popular authentication solutions for Rails applications. The Devise Google Authenticator gem extends on Devise to allow your user authentication framework to leverage the Google Authenticator for 2FA.

Blog entries here

Status: In-use .. (over 5,100 downloads from rubygems)

Topple the Stack. (Things for breaking .. )

These are the tools, scripts or other snippets we scrounge together to help us break things better.

Prenus (The Pretty Nessus Thing)

Everyone's heard of Nessus. While it may help you find trivial flaws in web apps, that's not its primary focus, but trying to pretend that Nessus doesn't have a place in your defence (offence) library is just silly. We use Nessus a bit, and, when you've been scanning TONNES of hosts, getting to the juicy parts of that information can be quite difficult. Prenus is meant to help by chewing up Nessus extract files, and allowing you to output formatted HTML files with graphs, XLS files, and even output to then be consumed by Afterglow or Circos

Blog entries here

Status: We use it sure. (and apparently a bunch of other people too?? - see rubygems)