But wariness of the NSA as a software supplier will make it hard for the SIMP cyber security project to attract users Credit: Thinkstock A tool devised by the National Security Agency to “maintain a specific security posture” is now available as an open source project — the first offering on the agency’s recently inaugurated GitHub page. The Systems Integrity Management Platform (SIMP) tool uses the Puppet framework to ensure network systems running Red Hat Linux remain compliant with established security standards. Less clear, given NSA’s reputation, is whether anyone outside of a government agency operating under a mandate will use it. Aside from its controversial origins, SIMP appears to be a fairly straightforward project. It uses Puppet and Ruby to provide automated security management on systems running Red Hat Enterprise Linux 6.6 or 7.1, as well as matching versions of CentOS. The automation follows existing automation guidelines devised by Red Hat and is in compliance with protocols laid down by NIST. SIMP’s release is part of an ongoing NSA project, the Technology Transfer Program (TTP), that allows its work to be reused by other government agencies and the private sector. The TTP, which has been around since 2006, declassifies technologies developed for previous operations and shares them, typically by way of NDAs and licensing agreements. With SIMP, the source code is provided as an Apache-licensed project, meaning no NDA is required and its potential for reuse is nearly unlimited. The NSA has signaled its willingness to use open source and public computing resources before. Earlier this year it described how it was using the OpenFlow SDN system for its internal operations, citing OpenFlow’s highly granular controls. OpenStack and Hadoop are also part of its tool set, and the agency has released some of the work it’s done with the former — again, on GitHub. Likewise, SIMP’s maintainers are using several familiar public tools on the project — not only GitHub, but also Google Groups, Gerrithub, HipChat, and JIRA. All of this is unlikely to lower suspicions of anything bearing NSA’s thumbprint. SIMP will need to gain a third-party imprimatur — for instance, an independent code audit — before anyone will use it, unless required to do so. Technology IndustrySecurityNetwork Security