Tython™

The first and only open-source Security as Code framework to build security design patterns as-code

Design Complex Security Reference Architectures as-Code

Tython is an open-source Security as Code framework and SDK for building custom security reference architectures and design patterns as-code. Tython is the first and only Security as Code framework that takes an architectural approach to cloud security, supports your choice of programming languages, and removes vendor lock-in.

user-thumb
Security as Code Blueprints

Skip building custom parsers for every language and integrations for every tool. Design reusable security reference architectures as-code using pre-built blueprints - no static rules.

user-thumb
Bring Your Own Language

Define security and governance policies in your choice of programming language. Python, Typescript, Rust, Golang, Sentinel, OPA – whatever your language, Tython will support it.

user-thumb
Automated Design Validation

The only architecture-first SaC framework. Remove traditional configuration management constraints with a meta-model of your application architecture for deep security visibility.

user-thumb
Architecture-Focused Approach

Dynamically identify security and compliance gaps based on business and application context, applying security automatically.

user-thumb
Open-Source Framework and SDK

Help innovate cloud security and push the boundaries for Security as Code. Join the community to share, extend, and contribute security reference architectures expressed in Tython.

user-thumb
End to End SDLC Workflows

Not just another gate, but actually create, remediate, and enforce your custom security policies as early as possible from architecture design to post-deployment drift detection.

Build Once, Enforce, and Apply Across All Architecture and Apps

Get Started 
def check_data_sensitive_tags(self):
    """
    Check for defined data sensitivity tags

    CustomerReq:
        AssetInventory

    Author:
        squirrel@acorncorp.com

    Implements:
        Asset Inventory Framework: https://ai-framework.acorncorp.com

    Returns:
        Finding: Design Gap, Resource Gap, Kudos or Task
    """

    finding = None

    tags = self.db.servers_databases.tags

    if not tags or (self.context.is_business_critical() and 'DataSensitivity' not in tags.keys()):
        finding = Finding(FindingType.DesignGap)
        finding.desc = ("Define Data Sensitivity tags for databases containing "
                        "business sensitive information")
        finding.severity = Severity.High
    else:
        # good job!
        finding = Finding(FindingType.Kudos)
        finding = "By adding this tag you have made it easier to track systems that have sensitive data"
        finding.rating = WellDoneRating.Amazing

    return finding
def check_runtime(self):
    """
    Check runtime and version

    CustomerReq:
        Hardening

    Author:
        squirrel@acorncorp.com

    Implements:
        Supported Runtimes Framework: https://supported-runtime-fw.acorncorp.com

    Returns:
        Finding: Design Gap, Resource Gap, Kudos or Task
    """

    findings = []

    current_runtime = self.serverless.function.runtime
    supported_runtimes = Runtimes('AWS::Lambda')

    # check for unsupported or end of life runtime using Tython SDK
    findings.append(supported_runtimes.check_if_unsupported(current_runtime))
    # check if the runtime has known vulnerabilities using Tython SDK
    findings.append(supported_runtimes.check_if_vulnerable(current_runtime))

    # Python 3.11 is the Acorn Corp standard, build a custom check for that
    runtime = get_runtime(current_runtime)

    if runtime.framework is "python" and runtime.version < "3.11":
        finding = Finding(FindingType.DesignGap)
        finding.desc = ("Acorn Corp requires all Python projects to use version 3.11. "
                        "Please upgrade your Python version to meet this requirement")
        finding.severity = Severity.Moderate
        findings.append(finding)

    return findings
def check_availability_zones(self):
    """
    Check availability zone architecture for ELBv1

    CustomerReq:
        HighAvailibility

    Author:
        squirrel@acorncorp.com

    Implements:
        Multi-Zone Deployment best practices: https://multiaz.acorncorp.com

    Returns:
        Finding: Design Gap, Resource Gap, Kudos or Task
    """

    finding = None

    defined_zones = self.lb.load_balancer.availibility_zones

    if self.context.is_business_critical() and not is_multi_zone(defined_zones):
        # business critical system has a single zone design
        finding = Finding(FindingType.DesignGap)
        finding.desc = ("Business critical systems at AcornCorp are required to have a multi-zone design. "
        "Configure your ELBv1 Load Balancer with multiple availability zones to increase tolerance against "
        "a single zone failure")
        finding.documentation_url = "https://dochub.acorncorp.com/multi-zone-best-practices.html"

    return finding
def check_secret_encryption(self):
    """
    Check Kuberenetes Secrets encryption for EKS

    CustomerReq:
        DataProtection

    Author:
        squirrel@acorncorp.com

    Implements:
        Data Encryption Standards: https://etcd-encryption.acorncorp.com

    Returns:
        Finding: Design Gap, Resource Gap, Kudos or Task
    """

    finding = None

    if not self.eks.cluster.encryption_config:
        finding = Finding(FindingType.DesignGap)
        finding.desc = ("Kuberenetes provides an additional layer of security "
        "for sensitive data, such as Secrets, stored in etcd. Encrypt the etcd "
        "file to minimize the impact of attackers who may gain access to an offline etcd copy")
        finding.severity = Severity.High

    return finding

Tython Natively Integrates Across Your Cloud

Multi-Cloud Support

Define security reference architectures as-code for the most complex cloud applications. Apply security consistently across all CSP's, multi-cloud workloads and environments.

IaC Agnostic

Developer freedom to use preferred Infrastructure as Code (IaC) tools. Terraform, Cloud Formation, Kubernetes, etc. - even validate heterogeneous repositories with multiple IaCs at the same time.

Intelligent Remediation & Drift Detection

Others just detect. Security, compliance, and governance guardrails defined in Tython are enforced from design to post-deployment automatically giving developers real-time feedback for code changes.

Architecture Graph

Deep visibility and access to your entire cloud application architecture through an interactive graph. Arbitrarily assess whatever you want, drill down into specific resources, areas, and more.

Deliver Security at Scale

  • Focus on cloud architecture over configurations to understand security holistically across your application.
  • Manage security reference architectures in a consistent, repeatable, and version-controlled way.
  • Imperative programming versus declarative to define more complex and granular policies.
  • Developer and security freedom to use your favorite IaCs, CSPs, CI/CDs, code repos, etc. to enforce security policies.
  • Remove vendor lock-in by defining reference architectures as-code in your programming language.
  • Community driven to make cloud security easier. Contribute your open Security as Code frameworks.

Run Security as Code Anywhere in Your Pipeline

  • Design
  • Code
  • Build & Test
  • Deploy
  • Operate

Write Your First Blueprint and Test in Less than 5 Minutes

Deliver security at scale. Design security as early as possible in your software development lifecycle so security is scalable and consistent across the most complex cloud native environments.