BBVA Labs - Security

Security Projects from BBVA Labs Security Team

Who we are

We are security practitioners controlling our paranoia (sometimes) and focusing our knowledge and experience to build new security solutions and practices for new (and old) IT systems and processes.

What we do

We research new security tendencies, techniques and solutions in Cyber-security issues, especially focused in SecDevOps processes with near-future impact in the security of BBVA Group and hopefully in the rest of the world.

Our projects

We like Open Source and we believe in the "Don't reinvent the wheel" mantra.

We create projects that try to close the gaps not covered by any other Open Source projects nor commercial solutions yet.

Here you can check our projects. We invite you to use them, test them and ... collaborate. We welcome contributions!

APICheck - The DevSecOps toolset for REST APIs

API-Check is a complete toolset designed and created for testing the REST API.

API-Check focus not only in the security testing and hacking use cases. The goal of the project is to be a complete toolset for DevSecOPs cycles and for different user profiles:

  • Developers

  • System Administrators

  • Security & Pentesters

DeepTracy - The Security Dependency Analyzers Orchestrator

DeepTracy is an open security dependency orchestrator service that runs as a service, featuring:

  • Ability to manage multiple security dependency analysers.

  • Web interface to manage different builds.

  • DevSecOps oriented. Built having in mind the integration with C.I. systems.

  • GraphQL API, thanks to Hashura.

Patton - The clever vulnerability dependency finder

Patton Server can resolve any library name to their CPEs and return the associated CVEs. Features:

  • Get CPE Identifier from service banner.

  • Get CPE identifier from operating system dependency name (Debian, Alpine, Redhat, Python, Golang...).

  • Resolve CVE vulnerabilities from CPE identifiers.

Kapow - CLI as a Microservice

Kapow! is the most powerful way to expose command line tools as REST APIs.

Usage example

Creating a port scanning REST API backed by the well-known tool Nmap only needs a few Kapow! lines: http://site.com/tools/nmap/scan/{IP}

Github Repo: https://github.com/BBVA/kapow Documentation: https://github.com/BBVA/kapow

Masquerade - Real-Time data obfuscation

Masquerade is a high-performance, real-time, multi-location data obfuscation tool.

Masquerade allows getting data from many different locations or sources, obfuscate it, and export it to other location. i.e:

You can get data from CSV in an AWS S3 bucket, and store the results in a HDFS filesystem... in real time!

Masquerade currently supports these locations:

  • AWS S3

  • HDFS

  • Google Cloud Storage (GCS)

  • RabbitMQ

  • Local files

Brainslug - Parasitic Computing Framework

BrainSlug is a framework for parasitic computing. Allowing you to write programs which code and logic live in a computer but actions or side-effects are performed on another.

Q.E.D. - Scalable, auditable and high-performance tamper-evident log

QED is an open-source software that allows you to establish trust relations with others. It can be used in multiple scenarios: secure tamper-evident data transfers, tamper-evident (system/application/business) logging, etc.

QED guarantees that the system itself, even when deployed into a non-trusted server, cannot be modified without being detected. It also provides verifiable cryptographic proofs in logarithmic relation (time and size) to the number of entries.

QED aims to be scalable, resilient and ops friendly:

  • Designed to manage billions of events per shard

  • Over 2000 operations per second per shard under sustained load

  • Consistent replication through RAFT

  • Operable and instrumented with dozens of metrics

  • Zero config files, fully documented single binary

Github Repo: https://github.com/BBVA/qed Documentation: https://qed.readthedocs.io