Open Source Security: Can Security Be Open?

Open source security is emerging as an important new tool in the rapidly evolving world of software development

The history of security looks like a cloak and dagger movie of the cold war era.  It is a story dominated by obfuscation, shrouded in secrecy and an ever-escalating arms race happily fueled by arms dealers.

How well has that served the industry? Yes, we all trust the internet to a degree. But despite billions of dollars of annual investment, security breaches doubled from 2016 to 2017. And this year is already proving to be worse than last.

It’s clear that just doing more of the same isn’t going to radically change the game. Recently, however, we have seen the emergence of open source security systems. Instead of trying to keep tooling secret, and praying that hackers don’t find vulnerabilities, security professionals and developers are trying to be more open. By sharing knowledge, data and processes they figure they can come up with more effective protection.

It’s not just a philosophical awakening, however. The underlying models of software architecture and development processes have changed in such a way to make open source security more feasible. Here are three important catalysts for this change.

Applications are Becoming More Composable

With the migration to cloud-native applications, there is a distinct move to decompose applications into smaller, more manageable but interconnected pieces that run on an orchestrated platform. This decomposition presents an opportunity: Why not include the appropriate elements of security every step of the way? Use open source tools such as docker notary to sign containers; an overlay network such as Weave to secure communications; and SPIFFE to securely identify application workloads.

Security is Shifting Left

As corporations are assailed more frequently, tolerance of risk in software has naturally gone down. As opposed to CISOs continually playing catch-up with software after it has gone out the door, companies instead are smartly including development teams in the security challenge. This “shift left” toward the beginning of the development cycle puts the onus on Dev teams to reduce the production of vulnerable software. And where developers are involved, you’re likely to find two other things: automation (developers hate repetition) and open source (many developers love to share ideas via open source projects). A great example of this is anchore, an open source tool for vulnerability management, software scanning and compliance.

It’s Not Just About the Perimeter

With the move to cloud and cloud-based architectures, combined with the distributed, composable architecture described above, it’s no longer clear what the perimeter of your application is. Gone are the days of simply layering on some network security at the edge and assuming your application is secure. While cloud native gives you dynamic flexibility, it also comes with a potentially porous substrate through which your data can leak away. Where a few tools were sufficient to secure your applications before, layers of security are now required to defend against both internal and external threats. It’s not all gloom, however. Open source tools such as Falco provide the ability to observe what is happening on your container systems and applications and alert you to malicious behaviors, whether they are from external hackers or inside threats.

Open source security is thriving in an age when rapid development is a requirement. Security professionals are more willing to accept open source technology where strong, active communities back the software, and the software is part of a larger portfolio of tools, techniques and processes designed to protect business applications.

The distributed, dynamic, complex nature of today’s applications also allows for innovative projects to play a role in business software. Once considered unconceivable, open source security has a healthy, influential role to play in the rapidly evolving world of software development.

Apurva Dave

Avatar photo

Apurva Dave

Apurva Dave is the Chief Marketing Officer at Sysdig. He’s been helping people analyze and accelerate infrastructure for the better part of two decades. He previously worked at Riverbed on both WAN acceleration and Network Analysis products, and at Inktomi on infrastructure products. He has a computer science degree from Brown University and an MBA from UC Berkeley.

apurva-dave has 7 posts and counting.See all posts by apurva-dave