# BBVA Labs - Security
## Who we are
We are security practitioners controlling our paranoia (sometimes) and focusing our knowledge and experience to build new security solutions and practices for new (and old) IT systems and processes.
## What we do
We research new **security tendencies, techniques and solutions** in Cyber-security issues, especially focused in **SecDevOps** processes with near-future impact in the security of BBVA Group and hopefully in the rest of the world.
## Our projects
We like Open Source and we believe in the **"Don't reinvent the wheel"** mantra.
We create projects that **try to close the gaps** not covered by any other Open Source projects nor commercial solutions yet.
Here you can check our projects. We invite you to use them, test them and ... collaborate. **We welcome contributions!**
### APICheck - The DevSecOps toolset for REST APIs
API-Check is a complete **toolset** designed and created for **testing the REST API**.
API-Check focus not only in the security testing and hacking use cases. The goal of the project is to be a complete toolset for DevSecOPs cycles and for different user profiles:
* Developers
* System Administrators
* Security & Pentesters
|  | Github Repo:
Documentation:
|
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### DeepTracy - The Security Dependency Analyzers Orchestrator
DeepTracy is an open security dependency orchestrator service that runs as a service, featuring:
* Ability to manage multiple security dependency analysers.
* Web interface to manage different builds.
* DevSecOps oriented. Built having in mind the integration with C.I. systems.
* GraphQL API, thanks to Hashura.
|  | Github Repo:
Documentation:
|
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### Patton - The clever vulnerability dependency finder
Patton Server can resolve any library name to their CPEs and return the associated CVEs. Features:
* Get [CPE](https://nvd.nist.gov/products/cpe) Identifier from service banner.
* Get CPE identifier from operating system dependency name (Debian, Alpine, Redhat, Python, Golang...).
* **Resolve CVE** vulnerabilities **from CPE identifiers**.
|  | Github Repo:
Documentation:
|
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### Kapow - CLI as a Microservice
Kapow! is the most powerful way to expose command line tools as REST APIs.
**Usage example**
Creating a port scanning REST API backed by the well-known tool [Nmap](https://nmap.org) only needs a few Kapow! lines:
|  | Github Repo:
Documentation:
|
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### Masquerade - Real-Time data obfuscation
Masquerade is a high-performance, real-time, multi-location data obfuscation tool.
Masquerade allows getting data from many different locations or sources, obfuscate it, and export it to other location. i.e:
**You can get data from CSV in an AWS S3 bucket, and store the results in a HDFS filesystem... in real time!**
Masquerade currently supports these locations:
* AWS S3
* HDFS
* Google Cloud Storage (GCS)
* RabbitMQ
* Local files
|  | Github Repo:
Documentation:
|
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### Brainslug - Parasitic Computing Framework
BrainSlug is a framework for parasitic computing. Allowing you to write programs which code and logic live in a computer but actions or side-effects are performed on another.
|  | Github Repo:
Documentation:
|
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
### Q.E.D. - Scalable, auditable and high-performance tamper-evident log
QED is an open-source software that allows you to establish trust relations with others. It can be used in multiple scenarios: secure tamper-evident data transfers, tamper-evident (system/application/business) logging, etc.
QED guarantees that the system itself, even when deployed into a non-trusted server, cannot be modified without being detected. It also provides verifiable cryptographic proofs in logarithmic relation (time and size) to the number of entries.
QED aims to be scalable, resilient and ops friendly:
* Designed to manage billions of events per shard
* Over 2000 operations per second per shard under sustained load
* Consistent replication through RAFT
* Operable and instrumented with dozens of metrics
* Zero config files, fully documented single binary
|  | Github Repo:
Documentation:
|
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://bbvalabs.gitbook.io/oss/bbva_labs_security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.