Secure all the things
This project is intended to help companies (small to large) start or significantly mature or their security programs. It will contain policies, procedures, and program designs as well as baselines for common systems and software, scripts for frequent tasks or health checks, configurations/notes for a wide variety of security solutions, and many other resources.
Between my own experiences, consulting experiences, and conversations with many peers it is pretty obvious organizations need help with security. Whether it's sysadmins 'doing the best they can' without support from the organization to learn how to do things the right way - like securing O365, Exchange, firewalls, etc. - or if it's experienced security practioners struggling to 'run a program' due to the overwhelming number of standards, frameworks, regulations, conflicting opinions, and general complexity of building and running a security program.
Because the security industry is full of companies with fancy design teams and huge budgets selling rebranded open-source technology at a premium for their various bells and whistles. These products and innovative takes on open projects can be great but so often seem solely focused their product and not their customers security.
Because security is hard to do right.
Because I haven't seen an attempt at a comprehensive way to build a security program which also includes the resources to build it. Don't tell people they need 10 overlapping policies and provide no samples and no common criteria. Give examples and map the documents. Don't give a policy that says 'We do vulnerability management according to "x"', also give them the procedures and considerations to do vulnerability management that way.
Just started. Will be loading resources and components for the next several months before codifying the resources in to digestible structure with adequate documentation.
If you happen to be interested in helping with this admittedly enormous project I would appreciate any commits here and would especially appreciate any emails/conversations over beers/DMs with your experiences about successful and unsuccessful security endeavors. The domain is far too large for any one person to fully grasp and this will only truly be successful with the help of others who share a passion for security and securing things. Even if you only have some articles you'd like to recommend as resources, they would be appreciated!
I'll add some links to how to use this project here, including items such as:
- Core parts of a security program
- Determining what's right for your company?
- Starting point for small businesses
- Starting point for medium/large businesses
- Strategies for implementing organizational security changes
- Roadmap & planning resources.