Frankly Speaking 1/26/21 - The challenge with open-source and security
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
Another crazy week. 2021 is really starting off with a bang. Anyway, I read an interesting article this week about the environmental impacts of working from home. It does reduce traffic and commercial utility usage. Pushing some costs to employees does help because we all know that we are a bit more wasteful when your company pays for something vs. when you pay for it yourself. However, replacing the commute has led to an increased usage of the cloud through work from home tech. There are reports showing increased usage of the datacenters, so the environmental impacts aren’t as great as we thought. I do think there are benefits, especially in the overall reduction in travel. The question is how much.
On a related note, I realized that knowing how to cook and make a good cup of coffee at home has saved me a lot of money on takeout and going to Starbucks. For those who do this, how much have you saved?
LET’S BE FRANK
A big theme of this newsletter is trying to figure out how security will evolve in the cloud, and it’s clear that developers will play a bigger role. I’ve talked about how to convince developers to care about security even though they might not be incentivized to care inherently. I mean honestly, the cloud providers themselves don’t care about security. Anyway, enough on that.
With the cloud and developers, there is a new topic appearing in security: open-source usage.
Security has had a complicated relationship with open-source. There have been some popular open-source projects, which have had commercial success, such as Metasploit, which was the starting point for Rapid7, and osquery from Facebook, which are the basis of companies like Uptycs. However, this is nowhere close to the types of adoption in other sectors.
Why is that? It’s partially cultural. Good security tools are highly valuable and hard to create, so many want to keep them close to their chest. Just look at the value of discovering zero-day bugs. Another reason is that they don’t want to give hackers the advantage to bypass the system if they find flaws in the source code. However, the argument can be made that there are more white hat hackers than black hat ones, so it’s actually good to have auditable code.
Finally, with all things in security, there is an issue of liability. If a hack happens, who can I blame as a security person? If I buy a security tool, I can say I tried my best and trusted a security vendor. However, with open source, it’s unclear, especially if support is unavailable for this tool, which is usually true. Is it my fault for not buying a vendor and being cheap? What was the real problem? The project quality or my inability to operationalize it in my environment and maintain it? There’s a lot of risks.
With the cloud arrives DevOps’s involvement in security. There’s no doubt that DevOps heavily relies on open-source. We are already seeing more open-source usage for security purposes, such as Snyk and Infrastructure as code static analysis, like cfn-lint. There are benefits to open-source usage in security, especially in organizations that don’t have large budgets. It’s just unfortunate that the security industry hasn’t really figured out the economics for security products tailored to that section of the market. However, it does seem like open-source can save the day!
Well… of course it’s not that simple. Security is used to having big projects to evaluate and deploy security products, but DevOps has more of a “build or buy” mentality. DevOps is willing to buy a tool for compliance and/or reduction in development cycles, i.e. it frees up a developer’s time to work on the product. So, with open-source tools, if there are products that can help operationalize and maintain them, then they seem like valuable tools. However, if some open-source project is critical, such as containers, then it might be worth having developers customize, optimize, and maintain it for your environment.
This brings the following questions:
What problems will security choose to solve with open-source software?
Are there security problems better suited for open-source?
There seems to be a set of security-critical problems that are annoying to maintain for DevOps, e.g. developer login to the cloud and dependency analysis of code. This is where I believe most of the value will be generated. What new problems of this type will emerge as cloud usage increases?
What tools will security buy to maintain these open-source projects?
As always, my email is open to discuss this!
This post is partially inspired by this article on why open-source is a bad investment (interestingly written by an open-source founder). We are definitely going to see more open-source usage to solve security problems.
TWEET OF THE WEEK
Sometimes, the simplest solution is the best… especially in security. There is value in simple solutions to complicated problems.
