An open source security lab blueprint dedicated to fortifying open source projects, models, training dataset against potential vulnerabilities. Designed to operate efficiently even in low-resource settings, BeSLab provides a comprehensive solution that grants complete control and transparency to application security and security operations teams. Additionally, it serves as a valuable resource for security researchers by streamlining the process of bringing open source projects under scrutiny and significantly reducing remediation time.

With BeSLab, security professionals can leverage its suite of tools and functionalities to conduct thorough assessments, perform rigorous testing, and identify potential security gaps within open source projects. By offering complete visibility and control, BeSLab empowers security teams to implement robust security measures and safeguards, ensuring the integrity and resilience of open source software. You can leverage BeS Environment Script Repository & BeS Playbooks to Launch OSS Security exploits(Red Teaming) and patching OSS vulnerabilites (Blue Teaming) from within a BeSLab.

Features

• BeSLab is a blueprint hosted in BeSecure GitHub repository.
• An organization (private / community / individual) utilizes the BeSLab blueprint to seed a lab instance in the infrastructure available with the organization.
• A BeSLab instance is mainly concerned with open source artifacts such as project, ml models, training dataset, vulnerabilities. The lab address them as Projects of Interest (PoI), Models of Interest (MoI), Training Datasets of Interest (TDoI), Documents of Interest (DoI) and Vulnerabilities of Interest (VoI).
• BeSecure community hosts a publicly available BeSLab instance in GitHub called BeSecure Community Lab.
• Each BeSLab instance is a registered Open Source Assurance Provider (OSAP). BeSecure Community Lab maintains the registry of all affiliated BeSLab instances across the world.
• BeSLab instances across the world can exchange assets data using a standard interchange format called as BeS Exchange Schema.
• BeSLighthouse is a dashboard that acts as the face of a BeSLab instance.
• The core of a BeSLab instance is an installation of BeSLighthouse, a Git based source code management tool and a bunch of datastore repositories.
• The Git based source code management platform in the lab has datastore repositories that maintains the details of PoI, MoI, TDoI, DoI and VoI.
• The outcome of any BeSLab instance is the attested and verified risk posture report of the open source artifact.
• The key idea of having a BeSLab is to drop the overall cost of doing risk assessment of open source artifacts as the interested parties can subscribe to a lab service.
• The risk posture assessment of open source artifact is done by a cybersecurity analyst by utilizing the automated environments and playbooks for the open source artifacts and tools respectively. The assessment outcome is submitted to the lab by the analyst for publishment, attestation and maintenance.
• BeSecure community in GitHub has published open source environments and playbooks that can be utilized by the cybersecurity analyst.
• A cyber security analyst must get a membership to the lab to be part of the lab.

Actors in a BeSLab

• Organization - hosts the OSS Security lab instance
• BeSLab Admin – Seeds and manages the lab operations
• Security Analyst – Member or contributor to a lab, who utilizes the lab for red teaming and blue teaming efforts
• Consumers/Subscribers - Organizations or individuals who consumer/subscribes to OSS Security Lab services

Activities in a BeSLab

• Seed a new lab
• Add members to the lab
• Onboard open source artifacts (PoI, MoI, TDoI, DoI, VoI)
• Risk assessments of open source artifacts
• Publish assessment reports
• Attest a report
• Verify a report issued by the lab
• Distribute the TAVOSS version of an artifact

Types of BeSLab

Private Lab

Lab hosted privately inside an organization’s private code collaboration platform

Public Lab

Lab hosted in a community namespace of a public code collaboration platform like GitHub

Personal Lab

Lab hosted privately within an individual’s laptop or a virtual machine

Glossary of terms used in the above diagrams

PoI	OSS Projects of Interest
VoI	Vulnerabilities of Interest
MoI	Models Of Interest
TDSoI	Training Datasets Of Interest
DoI	Document Of Interest
E	BeSEnvironments Datastore
P	BeSPlaybooks Datastore
ADS	Attestation Datastore
OSAR	Open Source Assessment Report
HE1..N	Hosted BeS Environments 1.. N
OSST..N	Open Source Security Tools 1..N
LE1..N	Local BeSEnviornments
G	Genesis File for a Lab
OASP	OSS Assurance Service Provider

BeSLab Instances Interactions

Glossary

Field	Description
BeSecure	Open source community ecosystem developed and maintained by open source security specialists
BeS	Short form for BeSecure
BeSLab	Open source security lab blueprint dedicated to fortifying open source projects, models, training dataset. Utilize this blueprint to spin up an open source security lab.
BeSLab Admin	Administrator of a BeSLab instance
Cybersecurity Analyst	Member of a BeSLab instance who does the RT and BT activities on the open source artifacts.
BeSPod	Group of skilled people who can utilize a lab to do Red Teaming and Blue Teaming on open source artifacts
BLIman	Command line utility for the administration of a BeSLab instance. BeSLab Admin utilizes this for lab seeding, artifact onboarding, member onboarding etc
Genesis File	Configuration file utilized by the BLIman to seed a BeSLab instance
BeSEnvironments	A customized computing set up with all the tools necessary pre-installed to do security assessments and remediation. The environments are packaged as shell scripts that will be executed on a target machine using BeSMan
BeSMan	Command line utility to create a BeS Environment
BeSPlaybooks	Automated execution steps for a specific tool or an activity
BeSecure Community Lab	A public BeSLab instance hosted in GitHub, also acts as the registry of all BeSLab instances in the world
Open Source Projects of Interest (PoI)	Open source project that a BeSLab is providing security services like assessment and remediation
Open Source Models Of Interest (MoI)	Open source ML model that a BeSLab is providing security services like assessments and remediation
Vulnerabilities of Interest (VoI)	Vulnerability information that a BeSLab is interested since it affects a PoI
Training DataSets Of Interest (TDSoI)	Publicly available ML model training dataset that a BeSLab wants to provide validation services
Document Of Interest (DoI)	Content needing attestation / plagiarism checks / Deep fake detection and copyright / water marking. The CDN will work as a datastore or document database in this.
Open Source Artifacts	PoI, MoI, TDoI, DoI and VoI
TAVOSS	Trusted and Verified Open Source Software
OSS Assurance Service Provider (OASP)	Each BeSLab instance is an OASP that provides assurance services on the open source artifacts it is interested in.
BeSLighthouse	Dashboard that gives a view into the services of a lab.
Attestation Datastore	Datastore that hosts digitally attested artifacts issued by a BeSLab instance.
Open Source Assessment Report (OSAR)	Open source artifact assessment reports issued by the lab. For instance, a vulnerability assessment report on an OSS project is an OSAR.
Open Source Security Tools (OSST)	The tools used for the risk assessment of open source artifacts maintained in the lab.

Trusted And Verified Open Source Software (TAVOSS).

• TAVOSS is software that is wetted and secure that can help address security concerns.
• TAVOSS is set of princples and practices that can help adoption of open source in enterprises
• TAVOSS software is also accompanied by documentation and support which can help to address the lack of knowledge and cultural resistance.

Getting Started

Considerations

• BLIman is a command line utility to deploy and manage a BeSLab instance.
• Decide on the BeSLab mode and the deployment type for each lab mode.
• Lab modes
  • Lite Mode
  • Host Mode (Work in progress)
  • Bare Mode (Work in progress)
• Deployment types for each lab mode.
  • Private Lab - Owned by an organization for commercial usage.
  • Public Lab (Work in progress) - Community lab hosted in any public code collaboration repository.
  • Personal Lab (Work in progress) - Owned by an individual for learning and research purpose.
• Have a good understanding of the genesis.yaml file. The lab configuration is completely driven through the genesis file.
• You could use the available Jupyter notebooks for lab deployments, or follow the manual process described below.

Seed a Private Lab

Choose any one installation method described below.

Pre-requisites for a private BeSLab deployment

• Ubuntu VM - Minimum 4vCPU, 8GB RAM, 16GB Disk Space
• curl
• unzip
• bash
• AWS Specific Configurations
  AWS VM installed with Ubuntu 22.04 does contains some aws specific packages which are installed with older versions so system pop warning messages for those packages and kernel being old version. These pop ups does hamper the non-interactive installation of BeSLab. So to suppress these warning during installation follow the below steps.

  Open file “/etc/needrestart/needrestart.conf”
  Change following parameters and save the changes.
  
  Uncomment and set $nrconf{restart} = 'a'
  Uncomment $nrconf{kernelhints} = -1;
  
  Save and exit the file.
  

Method 1. Using Jupyter notebook

1. Login to the dedicated machine for this BeSLab instance and switch to sudo user.
2. Install python and pip on the server.

   sudo apt-get update; apt-get upgrade -y
   sudo apt-get -y install python3-pip
   

3. Install Jupyter Notebook.

   sudo python3 -m pip install jupyter
   

4. Generate the Jupyter notebook config file.

   jupyter notebook --generate-config
   

5. Edit the Jupyter config file.

   vi $HOME/.jupyter/jupyter_notebook_config.py
   

   Change following and save
   

   c.ServerApp.ip = '0.0.0.0'
   Uncomment c.ServerApp.open_browser = False
   

6. Save and close
7. Run the Jupyter notebook.

   jupyter notebook --allow-root
   

   Note down the token and port number from the screen.
8. Open Jupyter notebook UI on your browser using the IP/Domain and port you captured in the previous step.
9. Provide the token copied from step 7 in the Jupyter UI.
10. Downalod the notebook from this location.
11. Click on upload button on right top corner of Jupyter Notebook UI and point to notebook downloaded in the previous step.
12. Read through the notebook and follow the instructions.

Method 2. Manual Installation

Execute below steps on the machine where BeSLab needs to be installed.

1. Login to the dedicated machine for this BeSLab instance and switch to sudo user.
2. Install BLIman following instructions here
3. Verify the BLIman is installed.

   bli help
   

4. Edit the genesis.yaml installed in the current working directory.
5. Load the genesis file

   bli load
   

6. Initiliaze BLIman. This installs the BeSman utility under the hood.

   bli initmode <mode name>
   

   <mode name> can be any one of (host, bare and lite). Only lite mode is avalilable as of now. Example: bli initmode lite
7. Initiaze BeSman

   source $HOME/.besman/bin/besman-init.sh
   

8. Verify besman installation

   bes help
   

9. Launch the lab

   bli launchlab
   

10. Verify the lab installation
    • Open GitLab. Go to browser and enter http://gitlab-server-IP. (Give the actual IP or domain name). Login with the default credentials (Lab name configured in genesis.yaml / Welc0me@123). Change the default password upon login.
    • Open BeSLighthouse. Go to browser and enter http://BeSLighthouse-IP:3000. (Give the actual IP or domain name). BeSLighthouse UI should open up. Click the "Projects Of Interest" tab and verify that it shows an empty list.