The impact of open source on security [Q&A]
Open source software is commonly used to save time as it means developers don't end up repeating the same things over and over.
One of the key things about open source is that the source code is open to examination by everyone, In security terms this means it’s open to both the attackers and defenders.
So, is open source a good or bad thing when it comes to security? We spoke to Shay Nehmad, tech lead and open source software developer at Guardicore to find out.
BN: What are the common misconceptions and fears surrounding open source software in security, and how have those recently changed?
SN: Some of the greatest fears around open source in security have become largely irrelevant due to recent industry developments. Even though we're discussing free software, big tech is responsible for the necessary change in perception.
A classic fear is that open source exposes the source code to examination by everyone, both the attackers and defenders. The impact of this argument has long been debated. You may expose your code to 10 attackers and at the same time, 100 security companies and 1,000 automated code verification tools. A defining characteristic of the open source community is it truly is a community. Developers take great pride in collaborating with one another to improve solutions and examine projects for flaws and vulnerabilities, so depending on your vantage point, this fear may be a benefit.
But the greatest fear turned misconception is that open source is not dependable for enterprise use because it isn't optimized for scale or production.
Open source is no longer developed by a rogue collection of developers in basements and back rooms without a brand name behind it. Today, the most popular open source projects are backed by the biggest commercial technology companies. Industry giants have recognized not only the benefit to end users in backing open source projects, but the monetary value in providing free software that strengthens their own commercial offerings. Even open source’s biggest nemesis, Microsoft, changed their mind and recently purchased GitHub. Now, talented people working for real pay with bigger stakeholders than the project itself are behind the most popular projects.
BN: What use cases and benefits does open source software present in securing modern cloud and hybrid environments?
SN: Attack simulation and knowledge sharing are two of the most effective use cases. This goes back to the community aspect of open source. The most recognizable example is the MITRE ATT&CK framework. Since the framework is open to everyone, it provides a shared and well-defined vocabulary. The bar for entry is also extremely low, enabling organizations with limited resources to both tap into the knowledge base and contribute to it to strengthen the larger community.
The reason open source is particularly effective in modern cloud and hybrid environments is because the most popular cloud offerings are built upon open source -- Linux servers, Amazon S3 storage, DynamoDB, etc. -- and open source plays nice with other open source. Specifically in hybrid environments, businesses must have a common denominator across various software and applications. The common denominator between Google, Amazon, Azure, and others is that all of their compute services offer users the ability to run Linux in the back end, or Python code, and open source will stick to other open source.
BN: How can both open and closed source software be successfully implemented in enterprise security strategies?
SN: You cannot solve a problem without first understanding it. This is where open source and commercial software compliments each other so well in enterprise security. You can think of open source as the educator, and closed source as the problem solver.
For example, at Guardicore we leverage open source through our attack simulation tool called Infection Monkey. The Monkey provides a way to continuously assess the security posture of enterprise environments and delivers actionable recommendations with various reports, one of them mapping directly to MITRE ATT&CK. As an open source tool, it is essentially public education. Once an organization understands the problems within their environment -- at no cost -- they’ll leverage our closed source commercial offering to solve them. The greatest battle many security operations teams face is a lack of resources and leveraging open source as a discovery tool and closed source as a problem solver is a tremendous asset.
Open source can also be thought of as a test drive. Many solution providers will offer a standard, open version of their software allowing users to get comfortable and make sure it fits their enterprise. If that's the case, users can then upgrade to a closed offering with the commercial features that best fit their specific needs, but without the fear of buying something without knowing if it's truly needed or compatible/effective.
BN: Open source software is mostly associated with Linux environments. How are additional environments becoming more open source friendly?
SN: All of the major players are doing this. The trend isn’t new, but really gained momentum when marketplaces from the big 3 tech companies began enabling free open source projects. A great example is DynamoDB via AWS. It's a really useful cloud service that provides a popular database for modern applications that is powered by MongoDB, which is completely open source.
Across the board, major providers are becoming more accommodating through evolved infrastructure engineering, more operating languages and better infrastructure code -- all geared toward open source. We already discussed Microsoft acquiring GitHub. Boto3, the AWS SDK for Python is another good example.
These companies are some of the most successful in the world for a reason - they understand a revenue-driving opportunity when they see one. Open source is driving revenue.
BN: Will a marked increase in remote workforce environments encourage enterprises to further adopt open source software in security strategies?
SN: Yes. With lower budgets, higher risks, more threats, and an elevated sense of responsibility and community, open source adoption will accelerate.
While many organizations are taking financial hits due to the current pandemic, they cannot afford to let security practices slip. Open source’s cost is an obvious draw but the community behind it is also attractive. A primary challenge with pandemic-related and WFH attacks is many of the related attack domains are new and have not been blacklisted or categorized as malicious. Knowledge sharing and collaboration enabled through open source projects allows honest people to work together to share intelligence and develop solutions to combat nuanced threats as a global team.
I'm of the opinion that if Zoom's code was open source, the company and its users would not have encountered the problems they did. With practically everyone working from home, the InfoSec community is hunting for vulnerabilities in popular teleconference services. Since their initial troubles, Zoom has been hiring people out of the InfoSec community to help. If large portions of code were open, for example, encryption, people could have examined and found flaws before people on Twitter randomly did.