Advanced Computing in the Age of AI|Wednesday, August 12, 2020
  • Subscribe to EnterpriseAI Weekly Updates:  Subscribe by email

NSA Contributes Security Tools For Puppet 

IT automation specialist Puppet Labs has announced a new partner: The U.S. National Security Agency.

Puppet Labs said Friday (June 19) that NSA is releasing to the open source community a set of tools based on Puppet Labs' technologies called Systems Integrity Management Platform, or SIMP. The framework is intended to automatically enforce compliance with various profiles called the Security Content Automation Program.

"We see Puppet as a natural fit for the NSA’s complex infrastructure," Carl Caum, a marketing manager at Puppet Labs noted in a blog post. Puppet Labs' software is used to automate configuration and management of systems and the software the runs on them.

The U.S. spy agency's move to release the modules means it can be shared by what Puppet Labs claims is the largest open source community built around "infrastructure as code." For now, the company said it does not know whether the NSA modules would be added to a list of more than 3,200 existing modules on the Puppet Forge, the company's repository of modules written by the Puppet community.

Each module is designed to manage a specific infrastructure component. Puppet Labs said the NSA modules could be used by other organizations facing similar infrastructure challenges.

The company, based in Portland, Ore., acknowledged it was not involved in development of NSA modules, but said it would work to ensure they work for its customers.

In an email response to questions about the nature of NSA's involvement with its open source community, Puppet Labs said it "didn't work with the NSA on these modules. Because Puppet is open source, the community can use Puppet to their needs and can freely contribute their work back to the open source community. That's what the NSA did here.

"Because Puppet is open source, anyone can see code that has been openly contributed back to the community. However, this does not give the NSA access to code that has not been previously shared publicly," the company added.

Caum added in his blog post: "The Puppet resource graph understands every configuration on each system, each configuration's desired state and the dependencies between configurations. Compliance policies, such as STIGs [Security Technical Implementation Guides], can be documented in easy-to-read Puppet code, and then Puppet enforces these policies, automatically and immediately remediating where necessary."

STIGS along with NSA guidelines are used as configuration standards for Defense Department systems and devices that are considered enabled for "information assurance."

Coincidently, Puppet Labs announced in May it was partnering with Chinese IT and telecommunications giant Huawei to bring native Puppet support to Huawei networking devices. In 2012, Congress investigated Huawei as a potential U.S. security threat. Earlier this year, the U.K. government also investigated Huawei and ruled it was not a threat to British national security.

Along with the odd couple of NSA and Huawei, Puppet Labs says it has more than 2,000 "committers" to GitHub projects, more than 3,200 modules on the Puppet Force and more than 6,100 participants contributing code to the open source community.

The next contributor summit is scheduled for Oct. 7 in Portland, Ore. The events include contributors to Puppet Labs modules or to Puppet Forge.

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).

3 Responses to NSA Contributes Security Tools For Puppet

  1. Edward S

    Interesting choice of technology. Is NSA not aware of the fact that Puppet Labs is, by far, the most insecure of all automation tools in the market? According to NIST and the National Vulnerability Database, Puppet Labs has had 64 security vulnerabilities, of which several are critical.

    https://web.nvd.nist.gov/view/vuln/search-results?query=puppet&search_type=all&cves=on

     
  2. Alison Diana

    Fascinating, Edward. I had not read that NIST report. Perhaps, though, NSA is looking to leverage those vulnerabilities…?!

     
  3. Matt Borja

    FYI, it is now 2017 and many of the vulnerabilities on NVD have been addressed here (with exception to community-owned and maintained Puppet modules of course):

    https://docs.puppet.com/security/index.html

     

Add a Comment

Do NOT follow this link or you will be banned from the site!
Share This