Ministry of Health Builds Vulnerability Analysis Tool

OpenKat is a vulnerability analysis tool developed by the Ministry of Health. BiteStreams has helped developed quality software and keep performance high.

An icon representing the goal of the project.

The Goal

Automate the work of pentesters, with standardized reports and continuous scheduling and forensically secured, historical storage.

An icon representing the challenge of the project.

The Challenge

Managing historical data together with a materialized graph view. Keeping the system performant and stable while assuring proper developer experience.

An icon representing the challenge of the project.

The Approach

Creating an encrypted raw (meta-data) database and developing communication pipelines between the frontend, scheduler and workers.

Sector
Public Sector
Use Case
Application Monitoring
Ministry of health builds  vulnerability analysis tool, a button being pressed saying 'vulnerability analysis'.

About OpenKat

During Covid, the Ministry of Health faced a number of unprecedented challenges. They became responsible for monitoring a lot of new internal systems, while connecting to several external parties. The high demand for robust penetration tests resulted in building an application that continuously scans and monitors these systems. Crucially, it reports its findings in a structured format. After 1.5 year of work, this tool – OpenKat – is now open source, since the first of July 2022.

Automated & Provable pentesting

The ministry of health faced several challenges in the automation of pentests, here we will point out a few of the most prominent ones.

  • Every tool & pentest is different: Every pentest is different, because the finding of one vulnerability might lead to the finding of other vulnerabilities. Additionally, every pentester uses different tools (from the plethora of tools available), like nmap, shodan, and others, almost none of these output their results in a standard format.
  • Pentesting over time: Another challenge is the fact that findings in the past should be related to the findings found at present, and these findings should be digitally proven, this mechanism allows one to create a form of accountability.

All in all these requirements resulted in a complex set of services that need to operate seamlessly to achieve the results that were aimed for. The security team had a handful of people working on these challenges, which produced a proof of concept of OpenKat. Challenges still present were the right conceptual architecture, structure and manpower. The team got the green light to build a proper MVP and was looking to expand its development capacity.

Solid foundations, data engineering & DevOps

Between April and July 2021, BiteStreams joined the OpenKat team. As the applications got more complex, we helped the team set up automated development environments, including CI/CD test and build pipelines with docker and github actions. These pipelines and efforts helped the team keep its fast pace and contributed with a much easier onboarding experience for the many people that joined the efforts of building OpenKat. Additionally, we built several security use cases and contributed to the architecture, data modelling and interface design of the application landscape.

Outcome

The project is still actively being built and maintained, and has got a lot of positive feedback from the community.

Example page: KAT-alogus

OpenKat provides a list of scanning tools in their so-called KAT-alogus:

KAT-alogus

Objects are scanned with all enabled tools automatically

Example page: Object Graph

When adding - for example - https://scanme.org we let OpenKat run and automatically get the following object graph after we enable a DNS scanning tool:

Object Graph

At May Contain Hackers 2022 (MCH) a tent was set up for OpenKat specifically.

Features:

  • The open source repository can be found here.
  • The presentation about OpenKat at MCH can be found here.

Want to have a chat? Contact us now

Get more data-driven with BiteStreams, and leave the competition behind you.

Contact us