3. Purpose of the Analysis:
The purpose of this project was to determine the security risks
posed by allowing Athena to remain open sourced.
In coordination with TRADOC G-27 Modeling and Simulation
Branch (M&SB) Fort Leavenworth, KS, Elizabeth Walden, a
student enrolled in the IT Internship course at the University of
Saint Mary in Leavenworth, Kansas, reviewed the security and
configuration management aspects of open sourcing TRADOC G-
27’s Athena simulation on GitHub.
4. Background
Athena originally hosted on GitHub Enterprise at Jet
Propulsion Lab
Fall 2015: decision made to offer Athena as an open source
tool on GitHub due to termination of funds
Athena is a software application that enables analysts and
commanders to simulate the Political, Military, Economic,
Social, Infrastructure, and Information (PMESII) entities and
processes within the context of a battlefield environment, a
wide-area security operation, or in support of a country study
to evaluate social evolution dynamics.
5. Major Components: Git and GitHub
Widely used source code
management system for a
collaborative software
development environment
Provide a reliable and
versatile version control and
configuration management
process
Git repository hosting service
Web-based graphical interface
Hosted: online, local, enterprise
GitHub.com free personal accounts
Provides access control and
collaboration features
8. Advantages and Disadvantages
Price effective
Revision control services
Bug tracking services
Task management features
Wikis for every project
Online collaboration capability
Although this is a great collaborating concept, like
anything hosted on the Internet, it is at risk for
malicious activity.
Once the external developers have access to the
source code, they potentially have control of that
version of Athena and there is no means to
retrieving it completely back once people start
making local copies.
GitHub.com is a public repository; anyone with an
account can gain access to Athena’s source code.
It costs to have a versioning repository on GitHub
11. Access Permission: Collaborator
Administrator grants access to:
Push to (write), pull from (read), and fork (copy) the repository
Apply labels and milestones
Open, close, re-open, and assign issues
Edit and delete comments on commits, pull requests, and issues
Merge and close pull requests
Send pull requests from forks of the repository
Create and edit Wikis
Create and edit Releases
Remove themselves as collaborators on the repository
12. GitHub Safeguards
System Security
System installation using
hardened, patched Operating
System
Dedicated firewall and VPN
services to help block
unauthorized system access
Distributed Denial of Service
(DDoS) mitigation services
powered by industry-leading
solutions
Maintaining Security
All passwords are filtered from all our logs
and are one-way encrypted in the
database using bcrypt. Info sent over
Secure Sockets Layer
Two-Factor Authentication when accessing
account
We have full time security staff to help
identify and prevent new attack vectors
Perform regular penetration tests and
ongoing audits of GitHub and its code
13. Hackers
DDoS Attack 2015
Distributed Denial of Service
Shutdown GitHub for over 24 hours
Device at the border of China’s inner
network and the Internet has hijacked
the HTTP connections went into
China, replaced some JavaScript
files from Baidu with malicious ones
Uber Breach 2014
50,000 drivers’ personal info breach
leak of database administrator
credentials and private keys
Uber developers mistakenly put
database key on public GitHub site
22. Recommendation
Redesign home page
Determine ongoing ownership
Developer vs User Portal design
Establish requirements for collaborators
23. Summary
The purpose of this project was to review the security and
configuration management aspects of open sourcing TRADOC
G-28’s Athena simulation on GitHub. Athena has been an open-
source tool hosted on GitHub since Fall 2o15. GitHub offers
efficient configuration management features such as version
control and bug tracking. By keeping Athena on GitHub, Athena
will gain more exposure and maintain its integrity with the
processes already in place by GitHub.