Summary How secure are your servers? The best way to be sure that your systems aren’t being compromised is to do it yourself. In this episode Daniel Goldberg explains how you can use his project Infection Monkey to run a scan of your infrastructure to find and fix the vulnerabilities that can be taken advantage of. He also discusses his reasons for building it in Python, how it compares to other security scanners, and how you can get involved to keep making it better. Preface Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great. When you’re ready to launch your next app you’ll need somewhere to deploy it, so check out Linode. With private networking, shared block storage, node balancers, and a 40Gbit network, all controlled by a brand new API you’ve got everything you need to scale up. Go to podcastinit.com/linode to get a $20 credit and launch a new server in under a minute. Visit the site to subscribe to the show, sign up for the newsletter, and read the show notes. And if you have any questions, comments, or suggestions I would love to hear them. You can reach me on Twitter at @Podcast__init__ or email hosts@podcastinit.com) To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media. Join the community in the new Zulip chat workspace at podcastinit.com/chat Your host as usual is Tobias Macey and today I’m interviewing Daniel Goldberg about Infection Monkey, an open source system breach simulation tool for evaluating the security of your network Interview Introductions How did you get introduced to Python? What is infection monkey and what was the reason for building it? What was the reasoning for building it in Python? If you were to start over today what would you do differently? Penetration testing is typically an endeavor that requires a significant amount of knowledge and experience of security practices. What have been some of the most difficult aspects of building an automated vulnerability testing system? How does a deployed instance keep up to date with recent exploits and attack vectors? How does Infection Monkey compare to other tools such as Nessus and Nexpose? What are some examples of the types of vulnerabilities that can be discovered by Infection Monkey? What kinds of information can Infection Monkey discover during a scan? How does that information get reported to the user? How much security experience is necessary to understand and address the findings in a given report generated from a scan? What techniques do you use to ensure that the simulated compromises can be safely reverted? What are some aspects of network security and system vulnerabilities that Infection Monkey is unable to detect and/or analyze? For someone who is interested in using Infection Monkey what are the steps involved in getting it set up? What is the workflow for running a scan? Is Infection Monkey intended to be run continuously, or only with the interaction of an operator? What are your plans for the future of Infection Monkey? Keep In Touch danielguardicore on GitHub Guardicore Blog Picks Tobias Darkest Hour Daniel How Complex Systems Fail Links Infection Monkey Guardicore Stack Overflow Metasploit AsyncIO React Nessus Nexpose Shellshock Wannacry Simian Army Chaos Engineering Capuchin Monkey Google Summer of Code The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA