Incomplete Thought: Why We Need Open Source Security Solutions More Than Ever…

Illustrates a rightward shift in the demand curve.
Image via Wikipedia

I don’t have time to write a big blog post and quite frankly, I don’t need to. Not on this topic.

I do, however, feel that it’s important to bring back into consciousness how very important open source security solutions are to us — at least those of us who actually expect to make an impact in our organizations and work toward making a dent in our security problem pile.

Why do open source solutions matter so much in our approach to dealing with securing the things that matter most to us?

It comes down to things we already know but are often paralyzed to do anything about:

  1. The threat curve and innovation of attacker outpaces that of the defender by orders of magnitudes (duh)
  2. Disruptive technology and innovation dramatically impacts the operational, threat and risk modeling we have to deal with (duh duh)
  3. The security industry is not in the business of solving security problems that don’t have a profit motive/margin attached to it (ugh)

We can’t do much about #1 and #2 except be early adopters, by agile/dynamic and plan for change. I’ve written about this many times and built and entire series of talks presentations (Security and Disruptive Innovation) that Rich Mogull and I have taken to updating over the last few years.

We can do something about #3 and we can do it by continuing to invest in the development, deployment, support, and perhaps even the eventual commercialization of open source security solutions.

To be clear, it’s not that commercialization is required for success, but often it just indicates it’s become mainstream and valued and money *can* be made.)

When you look at the motivation most open source project creators bring a solution to market, it’s because the solution generally is not commercially available, it solves an immediate need and it’s contributed to by a community. These are all fantastic reasons to use, support, extend and contribute back to the open source movement — even if you don’t code, you can help by improving the roadmaps of these projects by making suggestions and promoting their use.

Open source security solutions deliver and they deliver quickly because the roadmaps and feature integration occur in an agile, meritocratic and vetted manner than often times lacks polish but delivers immediate value — especially given their cost.

We’re stuck in a loop (or a Hamster Sine Wave of Pain) because the problems we really need to solve are not developed by the companies that are in the best position to develop them in a timely manner. Why? Because when these emerging solutions are evaluated, they live or die by one thing: TAM (total addressable market.)

If there’s no big $$$ attached and someone can’t make the case within an organization that this is a strategic (read: revenue generating) big bet, the big companies wait for a small innovative startup to develop technology (or an open source tool,) see if it lives long enough for the market demand to drive revenues and then buy them…or sometimes develop a competitive solution.

Classical crossing the chasm/Moore stuff.

The problem here is that this cycle is broken horribly and we see perfectly awesome solutions die on the vine. Sometimes they come back to life years later cyclically when the pain gets big enough (and there’s money to be made) or the “market” of products and companies consolidate, commoditize and ultimately becomes a feature.

I’ve got hundreds of examples I can give of this phenomenon — and I bet you do, too.

That’s not to say we don’t have open-source-derived success stories (Snort, Metasploit, ClamAV, Nessus, OSSec, etc.) but we just don’t have enough of them. Further, there are disruptions such as virtualization and cloud computing that fundamentally change the game that we can harness in conjunction with open source solutions that can accelerate the delivery and velocity of solutions because of how impacting the platform shift can be.

I’ve also got dozens of awesome ideas that could/would fundamentally solve many attendant issues we have in security — but the timing, economics, culture, politics and readiness/appetite for adoption aren’t there commercially…but they can be via open source.

I’m going to start a series which identifies and highlights solutions that are either available as kernel-nugget technology or past-life approaches that I think can and should be taken on as open source projects that could fundamentally help our cause as a community.

Maybe someone can code/create open source solutions out of them that can help us all.  We should encourage this behavior.

We need it more than ever now.

/Hoff

Enhanced by Zemanta
  1. Andre Gironda
    July 17th, 2010 at 13:50 | #1

    You forgot OpenSSL, OpenSSH, OpenVPN.

    Some languages are innately open-source, such as Java and Python. Heck, even .NET and Ruby are open-source by default. It doesn't matter that PHP is open-source for security because PHP and security are diametrically opposed.

    If you want to bring cloud into this, you could say that SaaS is more closed-source than closed-source software and also less secure than closed-source software and PHP combined.

    It was really very saddening to see Apache get taken down by a bunch of script kiddies who learned how to XSS a few months ago (http://blogs.apache.org/infra/entry/apache_org_04_09_2010). However, the benefit of being Apache is that a) Apache actually tells the world how they got hacked. They didn't ask their GC if was ok to report on what certainly amounted to less than 10k non-PII records. They just did a write up so that we can all learn from their mistakes. Oh and b) Apache clearly has the resources and expertise to handle the incident and provide reliable data.

    Why does an open-source outfit like The Apache Software Foundation have an incident response program that is at least 20-30 years ahead of most modern commercial solutions in place at Fortune 100?

    A better question might be, why does an open-source outfit like Mozilla have a security response program that is 10 years ahead of Microsoft's and why is Microsoft's at least 5 years ahead of the other top ISVs?

  1. July 17th, 2010 at 10:42 | #1
  2. July 25th, 2010 at 00:52 | #2
  3. September 12th, 2010 at 20:08 | #3
  4. September 24th, 2010 at 22:52 | #4