An open source security lab blueprint dedicated to fortifying open source projects, models, training dataset against potential vulnerabilities. Designed to operate efficiently even in low-resource settings, BeSLab provides a comprehensive solution that grants complete control and transparency to application security and security operations teams. Additionally, it serves as a valuable resource for security researchers by streamlining the process of bringing open source projects under scrutiny and significantly reducing remediation time.
With BeSLab, security professionals can leverage its suite of tools and functionalities to conduct thorough assessments, perform rigorous testing, and identify potential security gaps within open source projects. By offering complete visibility and control, BeSLab empowers security teams to implement robust security measures and safeguards, ensuring the integrity and resilience of open source software. You can leverage BeS Environment Script Repository & BeS Playbooks to Launch OSS Security exploits(Red Teaming) and patching OSS vulnerabilites (Blue Teaming) from within a BeSLab.
- BeSLab is a blueprint hosted in BeSecure GitHub repository.
- An organization (private / community / individual) utilizes the BeSLab blueprint to seed a lab instance in the infrastructure available with the organization.
- A BeSLab instance is mainly concerned with open source artifacts such as project, ml models, training dataset, vulnerabilities. The lab address them as Projects of Interest (PoI), Models of Interest (MoI), Training Datasets of Interest (TDoI), Documents of Interest (DoI) and Vulnerabilities of Interest (VoI).
- BeSecure community hosts a publicly available BeSLab instance in GitHub called BeSecure Community Lab.
- Each BeSLab instance is a registered Open Source Assurance Provider (OSAP). BeSecure Community Lab maintains the registry of all affiliated BeSLab instances across the world.
- BeSLab instances across the world can exchange assets data using a standard interchange format called as BeS Exchange Schema.
- BeSLighthouse is a dashboard that acts as the face of a BeSLab instance.
- The core of a BeSLab instance is an installation of BeSLighthouse, a Git based source code management tool and a bunch of datastore repositories.
- The Git based source code management platform in the lab has datastore repositories that maintains the details of PoI, MoI, TDoI, DoI and VoI.
- The outcome of any BeSLab instance is the attested and verified risk posture report of the open source artifact.
- The key idea of having a BeSLab is to drop the overall cost of doing risk assessment of open source artifacts as the interested parties can subscribe to a lab service.
- The risk posture assessment of open source artifact is done by a cybersecurity analyst by utilizing the automated environments and playbooks for the open source artifacts and tools respectively. The assessment outcome is submitted to the lab by the analyst for publishment, attestation and maintenance.
- BeSecure community in GitHub has published open source environments and playbooks that can be utilized by the cybersecurity analyst.
- A cyber security analyst must get a membership to the lab to be part of the lab.
- Organization - hosts the OSS Security lab instance
- BeSLab Admin – Seeds and manages the lab operations
- Security Analyst – Member or contributor to a lab, who utilizes the lab for red teaming and blue teaming efforts
- Consumers/Subscribers - Organizations or individuals who consumer/subscribes to OSS Security Lab services
- Seed a new lab
- Add members to the lab
- Onboard open source artifacts (PoI, MoI, TDoI, DoI, VoI)
- Risk assessments of open source artifacts
- Publish assessment reports
- Attest a report
- Verify a report issued by the lab
- Distribute the TAVOSS version of an artifact
Lab hosted privately inside an organization’s private code collaboration platform
Lab hosted in a community namespace of a public code collaboration platform like GitHub
Lab hosted privately within an individual’s laptop or a virtual machine
PoI |
OSS Projects of Interest |
VoI |
Vulnerabilities of Interest |
MoI |
Models Of Interest |
TDSoI |
Training Datasets Of Interest |
DoI |
Document Of Interest |
E |
BeSEnvironments Datastore |
P |
BeSPlaybooks Datastore |
ADS |
Attestation Datastore |
OSAR |
Open Source Assessment Report |
HE1..N |
Hosted BeS Environments 1.. N |
OSST..N |
Open Source Security Tools 1..N |
LE1..N |
Local BeSEnviornments |
G |
Genesis File for a Lab |
OASP |
OSS Assurance Service Provider |
| Field | Description |
|---|---|
BeSecure |
Open source community ecosystem developed and maintained by open source security specialists |
BeS |
Short form for BeSecure |
BeSLab |
Open source security lab blueprint dedicated to fortifying open source projects, models, training dataset. Utilize this blueprint to spin up an open source security lab. |
BeSLab Admin |
Administrator of a BeSLab instance |
Cybersecurity Analyst |
Member of a BeSLab instance who does the RT and BT activities on the open source artifacts. |
BeSPod |
Group of skilled people who can utilize a lab to do Red Teaming and Blue Teaming on open source artifacts |
BLIman |
Command line utility for the administration of a BeSLab instance. BeSLab Admin utilizes this for lab seeding, artifact onboarding, member onboarding etc |
Genesis File |
Configuration file utilized by the BLIman to seed a BeSLab instance |
BeSEnvironments |
A customized computing set up with all the tools necessary pre-installed to do security assessments and remediation. The environments are packaged as shell scripts that will be executed on a target machine using BeSMan |
BeSMan |
Command line utility to create a BeS Environment |
BeSPlaybooks |
Automated execution steps for a specific tool or an activity |
BeSecure Community Lab |
A public BeSLab instance hosted in GitHub, also acts as the registry of all BeSLab instances in the world |
Open Source Projects of Interest (PoI) |
Open source project that a BeSLab is providing security services like assessment and remediation |
Open Source Models Of Interest (MoI) |
Open source ML model that a BeSLab is providing security services like assessments and remediation |
Vulnerabilities of Interest (VoI) |
Vulnerability information that a BeSLab is interested since it affects a PoI |
Training DataSets Of Interest (TDSoI) |
Publicly available ML model training dataset that a BeSLab wants to provide validation services |
Document Of Interest (DoI) |
Content needing attestation / plagiarism checks / Deep fake detection and copyright / water marking. The CDN will work as a datastore or document database in this. |
Open Source Artifacts |
PoI, MoI, TDoI, DoI and VoI |
| TAVOSS | Trusted and Verified Open Source Software |
OSS Assurance Service Provider (OASP) |
Each BeSLab instance is an OASP that provides assurance services on the open source artifacts it is interested in. |
BeSLighthouse |
Dashboard that gives a view into the services of a lab. |
Attestation Datastore |
Datastore that hosts digitally attested artifacts issued by a BeSLab instance. |
Open Source Assessment Report (OSAR) |
Open source artifact assessment reports issued by the lab. For instance, a vulnerability assessment report on an OSS project is an OSAR. |
Open Source Security Tools (OSST) |
The tools used for the risk assessment of open source artifacts maintained in the lab. |
- TAVOSS is software that is wetted and secure that can help address security concerns.
- TAVOSS is set of princples and practices that can help adoption of open source in enterprises
- TAVOSS software is also accompanied by documentation and support which can help to address the lack of knowledge and cultural resistance.
- Lab admin affiliates the new lab into OASP registry (maintained at BeSecure Community Lab) and downloads the genesis file template.
- Configure genesis file to meet the lab requirements
- Install BLIman
curl -L https://be-secure.github.io/BLIman/get.bliman.io | bash
- Initiliaze BLIman. This installs BeSman
bli init light
- Launch the lab. Downloads the environment scripts for lab from BeSLab repository and executes it.
bli launch
- Verify the lab installation
bli status