BBVA Labs - Security
We are security practitioners controlling our paranoia (sometimes) and focusing our knowledge and experience to build new security solutions and practices for new (and old) IT systems and processes.
We research new security tendencies, techniques and solutions in Cyber-security issues, especially focused in SecDevOps processes with near-future impact in the security of BBVA Group and hopefully in the rest of the world.
We like Open Source and we believe in the "Don't reinvent the wheel" mantra.
We create projects that try to close the gaps not covered by any other Open Source projects nor commercial solutions yet.
Here you can check our projects. We invite you to use them, test them and ... collaborate. We welcome contributions!
API-Check is a complete toolset designed and created for testing the REST API.
API-Check focus not only in the security testing and hacking use cases. The goal of the project is to be a complete toolset for DevSecOPs cycles and for different user profiles:
Developers
System Administrators
Security & Pentesters
​ | Github Repo: https://github.com/BBVA/apicheck Documentation: https://apicheck.readthedocs.io​ |
DeepTracy is an open security dependency orchestrator service that runs as a service, featuring:
Ability to manage multiple security dependency analysers.
Web interface to manage different builds.
DevSecOps oriented. Built having in mind the integration with C.I. systems.
GraphQL API, thanks to Hashura.
​ | Github Repo: https://github.com/BBVA/deeptracy Documentation: https://deeptracy.readthedocs.io/en/latest/​ |
Patton Server can resolve any library name to their CPEs and return the associated CVEs. Features:
Get CPE Identifier from service banner.
Get CPE identifier from operating system dependency name (Debian, Alpine, Redhat, Python, Golang...).
Resolve CVE vulnerabilities from CPE identifiers.
​ | Github Repo: https://github.com/BBVA/patton Documentation: https://patton.readthedocs.io​ |
Kapow! is the most powerful way to expose command line tools as REST APIs.
Usage example
Creating a port scanning REST API backed by the well-known tool Nmap only needs a few Kapow! lines: http://site.com/tools/nmap/scan/{IP}​
​ | Github Repo: https://github.com/BBVA/kapow Documentation: https://github.com/BBVA/kapow​ |
Masquerade is a high-performance, real-time, multi-location data obfuscation tool.
Masquerade allows getting data from many different locations or sources, obfuscate it, and export it to other location. i.e:
You can get data from CSV in an AWS S3 bucket, and store the results in a HDFS filesystem... in real time!
Masquerade currently supports these locations:
AWS S3
HDFS
Google Cloud Storage (GCS)
RabbitMQ
Local files
​ | Github Repo: https://github.com/BBVA/masquerade Documentation: https://masquerade-data.readthedocs.io​ |
BrainSlug is a framework for parasitic computing. Allowing you to write programs which code and logic live in a computer but actions or side-effects are performed on another.
​ | Github Repo: https://github.com/bbva/brainslug Documentation: https://github.com/bbva/brainslug​ |
QED is an open-source software that allows you to establish trust relations with others. It can be used in multiple scenarios: secure tamper-evident data transfers, tamper-evident (system/application/business) logging, etc.
QED guarantees that the system itself, even when deployed into a non-trusted server, cannot be modified without being detected. It also provides verifiable cryptographic proofs in logarithmic relation (time and size) to the number of entries.
QED aims to be scalable, resilient and ops friendly:
Designed to manage billions of events per shard
Over 2000 operations per second per shard under sustained load
Consistent replication through RAFT
Operable and instrumented with dozens of metrics
Zero config files, fully documented single binary
​ | Github Repo: https://github.com/BBVA/qed Documentation: https://qed.readthedocs.io​ |
