This document analyzes the security risks of keeping the Athena simulation software open source on GitHub. It provides background on Athena and how it was originally hosted on GitHub Enterprise. The document describes GitHub and its version control and collaboration features. It discusses the advantages of using GitHub, like cost effectiveness and collaboration capabilities, but also risks like external developers gaining access to source code. The document analyzes security aspects like access permissions, safeguards against hackers and DDoS attacks, and activity logs. It recommends ways to improve security and configuration management of Athena on GitHub.

1. Elizabeth Walden
University of Saint Mary
An Analysis on Open
Sourcing Athena
on GitHub

2. Outline:
Introduction
Background
Github
Major components
Advantages
Disadvantages
Security
Configuration Management
Recommendations
Summary

3. Purpose of the Analysis:
 The purpose of this project was to determine the security risks
posed by allowing Athena to remain open sourced.
 In coordination with TRADOC G-27 Modeling and Simulation
Branch (M&SB) Fort Leavenworth, KS, Elizabeth Walden, a
student enrolled in the IT Internship course at the University of
Saint Mary in Leavenworth, Kansas, reviewed the security and
configuration management aspects of open sourcing TRADOC G-
27’s Athena simulation on GitHub.

4. Background
 Athena originally hosted on GitHub Enterprise at Jet
Propulsion Lab
 Fall 2015: decision made to offer Athena as an open source
tool on GitHub due to termination of funds
 Athena is a software application that enables analysts and
commanders to simulate the Political, Military, Economic,
Social, Infrastructure, and Information (PMESII) entities and
processes within the context of a battlefield environment, a
wide-area security operation, or in support of a country study
to evaluate social evolution dynamics.

5. Major Components: Git and GitHub
Widely used source code
management system for a
collaborative software
development environment
Provide a reliable and
versatile version control and
configuration management
process
Git repository hosting service
Web-based graphical interface
Hosted: online, local, enterprise
GitHub.com free personal accounts
Provides access control and
collaboration features

6. Git

7. GitHub

8. Advantages and Disadvantages
 Price effective
 Revision control services
 Bug tracking services
 Task management features
 Wikis for every project
 Online collaboration capability
 Although this is a great collaborating concept, like
anything hosted on the Internet, it is at risk for
malicious activity.
 Once the external developers have access to the
source code, they potentially have control of that
version of Athena and there is no means to
retrieving it completely back once people start
making local copies.
 GitHub.com is a public repository; anyone with an
account can gain access to Athena’s source code.
 It costs to have a versioning repository on GitHub

9. Security
 Access Permission
 Safeguards
 Hackers
 DDoS
 Uber
 Vulnerability Prevention
 Activity Log

10. Access Permissions: Administrator
Owner = Full Control = Administrator
Add collaborators
Change visibility
Delete the repo

11. Access Permission: Collaborator
Administrator grants access to:
 Push to (write), pull from (read), and fork (copy) the repository
 Apply labels and milestones
 Open, close, re-open, and assign issues
 Edit and delete comments on commits, pull requests, and issues
 Merge and close pull requests
 Send pull requests from forks of the repository
 Create and edit Wikis
 Create and edit Releases
 Remove themselves as collaborators on the repository

12. GitHub Safeguards
System Security
 System installation using
hardened, patched Operating
System
 Dedicated firewall and VPN
services to help block
unauthorized system access
 Distributed Denial of Service
(DDoS) mitigation services
powered by industry-leading
solutions
Maintaining Security
 All passwords are filtered from all our logs
and are one-way encrypted in the
database using bcrypt. Info sent over
Secure Sockets Layer
 Two-Factor Authentication when accessing
account
 We have full time security staff to help
identify and prevent new attack vectors
 Perform regular penetration tests and
ongoing audits of GitHub and its code

13. Hackers
DDoS Attack 2015
 Distributed Denial of Service
 Shutdown GitHub for over 24 hours
 Device at the border of China’s inner
network and the Internet has hijacked
the HTTP connections went into
China, replaced some JavaScript
files from Baidu with malicious ones
Uber Breach 2014
 50,000 drivers’ personal info breach
 leak of database administrator
credentials and private keys
 Uber developers mistakenly put
database key on public GitHub site

14. Vulnerability Prevention: Bug Bounty

15. Activity Log: Pulse

16. Activity Log: Members

17. Activity Log: Contributors Graph

18. Configuration Management
Version Control
 Bug Tracking

19. Version Control

20. Pull Request

21. Issue Tracker

22. Recommendation
 Redesign home page
 Determine ongoing ownership
 Developer vs User Portal design
 Establish requirements for collaborators

23. Summary
The purpose of this project was to review the security and
configuration management aspects of open sourcing TRADOC
G-28’s Athena simulation on GitHub. Athena has been an open-
source tool hosted on GitHub since Fall 2o15. GitHub offers
efficient configuration management features such as version
control and bug tracking. By keeping Athena on GitHub, Athena
will gain more exposure and maintain its integrity with the
processes already in place by GitHub.

24. Questions?