Anatomy of an Open Source Engineer

Open Source coding provides a unique opportunity to the information security community where individuals across many different industries, backgrounds and perspectives can work together to solve complex problems.

Last year, Walmart Global Tech’s cybersecurity team contributed a little over 250k lines of code to open source projects. In this story we will highlight three InfoSec associates who are current owners, maintainers and contributors to major open source projects to learn more about what makes them tick and why they think open source coding is important to the broader community.

Education, experience and exposure

Although all three associates have a degree in Computer science, they each had different focus areas that have given them a unique perspective on their current role from malware intelligence automation, software testing, to information security engineering. So, what brought them to cybersecurity and Walmart Global Tech?

For Connor Shride, Intrusion Analyst, it all started with cybersecurity extra-curricular activities at his University.

“I needed something more on top of software engineering that was interesting and inherently meaningful. I had already been involved in the Cybersecurity club, and the Collegiate Cybersecurity Defense Competition. After the Southwest regional, at which Walmart was a sponsor, I decided that Cybersecurity was where I needed to switch my focus to. I got in contact with the Walmart folks who were recruiting from the competition, and here I am!”

Carrie Roberts, Dynamic Defense Engineer, had an eye-opening experience when working as a web application developer that piqued her interests and she ended up pursuing a Master’s degree in Information Security. She went on to join Walmart Global Tech red team and now is using her experience with “offensive” strategies to support our blue team.

“One day before the release of my Web Application to the public I learned that my application was vulnerable to SQL Injection, Cross-Site Scripting and several other things I had never heard of before. This meant that my application would have been easily hacked. The report was a real eye opener to me that there was an important element of being a good developer that I knew nothing about — Information Security!”

Passion and creativity play a role

There are many technical skills that can be taught, a good open source engineer needs to have certain strengths to successfully create an open sourced solution. When asked what skills or strengths they find invaluable, here is what Kirk and Carrie had to say.

“I think the primary skills and strengths needed are creativity, willingness to think outside the box, and the drive to push through and solve difficult problems. With open source software whatever you are doing is new and fairly uncharted.” — Kirk Sayre, Senior Technical Expert

“If I could sum it up in one word I would say “Passion”, you need to be passionate about the project and its possibilities. Anything else you need can be learned, but if you aren’t passionate you won’t have the drive to make it happen.” — Carrie Roberts

Benefits for all

With open source projects, there are three main benefactors; the companies, community and contributors.

“Cyber security is an interesting field where unlike other fields a solution that helps your business will actually help your business out more if shared than if it is held secret. Malicious actors operate as businesses themselves, so any reductions to their revenue stream helps out everyone.” — Kirk

“When open source projects are attentively maintained, the software ends up being more secure than closed source solutions because more eyes can prod at potential vulnerabilities beyond just those of the development team. Open source projects also open up the opportunity for new developers to see how enterprise code works and build their resumes by contributing to it.” — Connor

“Open source provides a free solution that is very transparent. You can see exactly what you are getting and are able to modify it to fit your specific needs. Open source projects benefit from the diverse background and skillset of its many contributors.” — Carrie

Want to learn more about their current open source projects?

Carrie Roberts has been involved with the Atomic Red Team project. It is a set of scripted cyber attacks that can be used to build and validate defensive capabilities. There are a number of other companies that use Atomic Red Team such as Red Canary, SCYTHE, Mitre CALDERA and Deloitte. Fun fact: Over the last year, Walmart associates have made over 50% of all contributions to the Atomic Red Team project.

Kirk Sayre’s main open source project is a tool called ViperMonkey. It’s an emulator written in Python that runs under Linux that emulates the behavior of macro enabled Office files (Excel and Word), VBScript script files, and VBScript HTA files. It emulates what would happen if Office macros were enabled or VBScript was run without actually opening the malicious input file in Office or running the input script file under Windows. Because malicious Office files and VBScript script files are frequently used in the initial phases of attacks, being able to easily get information about this phase of the attack helps in detecting and stopping attacks before they have an opportunity to actually damage your organization. ViperMonkey is currently being used by large financial organizations, cyber security firms, and the Department of Defense.

Connor’s project is called box-ps. It is a tool that takes a stab at the analysis of potentially malicious PowerShell scripts. PowerShell is widely used by attackers because of its wide availability in all networks that rely heavily on Windows, as well as for its ability to easily interface with the Windows operating system to do malicious things. Box-ps offers a way to automate PowerShell analysis in a way that makes obfuscation irrelevant, as well as a design that lends itself to being plugged into other pieces of automation, so organizations can use it where they find the most value. This solution is currently being used by multiple major retailers.

Conclusion

Whether you’re a seasoned information security professional or just starting out in your career as a developer, you can help build a safer cybersecurity community by contributing your skills and perspective to various open source projects. I would encourage everyone with a passion for cybersecurity and an exploration mindset to browse open source projects in your area of expertise.

Interested in joining Walmart Global Tech’s Information Security team? Check out the open positions.