As every security practitioner knows, open source software is of tremendous benefit to the discipline of security. Everyone is familiar with names like OpenSSL, OpenSSH, the Metasploit Framework, Snort, Suricata and Wireshark (and pages’ worth of others). And, as we know, many of these tools aren’t just “relevant”—they’re foundational to the way we practice security.
But have you ever stopped to think about how these projects get started in the first place? Much like commercial products, there’s a lifecycle: it may start with one or two developers in the early days, slowly building a base of users over time. As the project gains traction, it might increase in scale until ultimately, it’s supported by a large community of developers, users, financial supporters and others all contributing (some in greater degree, some less) to the features, success and relevance of the project.
It’s the rare project that can thrive very long in absence of this support. As you read this, there are hundreds (if not thousands) of open source tools out there that could provide very real benefits to security practitioners but that you might not have heard of because they haven’t yet established that fully realized support network around them. They might do everything from application container image scanning, to incident response case tracking, to cryptographic services, to application proxying and beyond. It’s possible—even likely—that free and open solutions you’ve never heard of exist right now to the most pressing security problems currently on your plate. There are also numerous individuals that are “sitting on” that perfect solution—maybe they’ve written a script or authored some software that does exactly what you need—and that developer has considered releasing as open source but hasn’t because they don’t know how, because it seems too complicated or because they don’t have the time/resources.
Seems like a shame, doesn’t it? We think so too.
Enter the RSAC Open Source Track
To help address this, RSA Conference is hosting an entire track dedicated to open source at RSAC 2020. The mission of the track? To help cultivate community support for the business use of security tools, to help foster support for open source in the security community and just to let you know about cool tools out there that can solve real business problems.
Now, there have always been open source tools discussed at RSAC—there have even been open source tools released at RSAC. In fact, there was even one year in which two different open source WAFs—IronBee and openWAF—were announced at RSAC on the same day! What makes this year a little different, though, is that we’ve taken an open source approach to the effort itself.
By this, we mean we’ve pulled together a community of advisors—from open source “power users,” to advocates and developers—to help us find, evaluate and highlight exciting projects that can be used by organizations to solve real-world business problems. Secondly, we’ve tried our best to pull together the resources and information to help foster open source in the broader security community as a whole, for example, by outlining the value, the challenges and solutions potential developers might encounter, and the logistics for those considering authoring an open source tool or releasing their existing work as open source.
Our belief is that the track will only be useful and relevant to you if it itself is supported by a community—this is true of open source projects and we believe it’s true of the track itself as well. Also, like an open source project, the value the track provides will dictate its success. Our vision is one where RSAC is a place not only to connect with likeminded peers facing similar challenges but to discover free and open solutions that help address those problems—with immediate access to the tools themselves (ideally as “ready to run” as possible) as well as the existing community of users around the world who help keep that tool alive and running.
With this in mind, we asked two RSAC open source program committee members, Metasploit Framework founder HD Moore and cURL author Daniel Stenberg, which tracks they’re most excited about and why. They highlighted four tracks, and, interestingly, the tracks they chose reflect the diversity of their backgrounds but also the diversity of what the tracks have to offer.
The first mentioned was the session “Time to Spell Out Open Source Software Security” from Javier Perez at Veracode. It’s an “optimistic view” of open source software security with supporting technical detail and examples. Why is this one exciting and important? Because more and more open source libraries are being used “under the hood” in everything from MRI machines to automobiles to planes and household appliances. As we move forward, the security of these libraries translates directly to the security of tomorrow’s security. In Daniel’s words, “… how to work with projects to become more secure is an ever ongoing subject that is the very foundation of future security.”
Daniel also highlighted “Vendors or Open Source Tools: How Do You Decide???” as a potentially valuable resource that can help practitioners evaluate when and how to adopt open source and when and how to adopt commercial tools instead. “… security is hard. We need all the help we can get to aid us through the jungle of software, offerings and products, and I hope this talk can provide some thoughts and good advice to bring with us for coming decisions and projects.” Even in today’s world, open source tools create both challenges and opportunities—they can add and help address complexity. For example, HD outlined one potential issue in the container orchestration world pointing to an area where open source can both create—and address—a key challenge: “Kubernetes is ridiculously complicated. Well-meaning attempts to silo services using the RBAC functionality can easily go wrong, and similar to efforts such as Bloodhound for AD analysis, tooling is needed to understand the effective permissions.”
Both of these tracks offer advice for the open source tool user or potential developer, and there is no shortage of cool tools. Daniel and HD highlighted sessions that outline new security tools as well: both those from independent tool vendors and those with support of larger organizations. Hear about projects like TheHive and Security Onion from the folks who wrote them, and hear from projects that have commercial backing like Microsoft’s MYSTICPY.
In short, we are very excited about what’s in store and we’re hoping that it unlocks the door to more great open source development within the security community in future.