Open source in cybersecurity: a deep dive
Analyzing select aspects of the nuanced world of open source in cybersecurity
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Ever since entering cybersecurity, I have been fascinated by the important role of open source in the industry. I’ve heard a lot that hacking was built in communities of people sharing their knowledge for free, without any agenda or expectations of a payoff. Decades later, we are spending millions of dollars on defense yet the attackers often use the same open source tools built 15 years ago without having to spend a dime.
The nature of open source has changed dramatically over the past two decades. A case in point is Microsoft and its evolution from calling open source “cancer” in 2001, to becoming one of the world’s leading contributors to open source since 2017 (measured by the number of employees actively contributing to open source).
A decade ago, most open source projects were driven by individuals with very few companies present in the space, and even fewer being able to generate revenue from their open source offerings (such as OpenNMS). Some projects that started small, over time evolved into large companies with Elastic being a good, prominent example.
Today, open source is much more familiar to people and organizations across the globe. More tech companies open source their internal initiatives, use open source tools themselves, and support projects that align with their vision financially. Industry-wide advances such as infrastructure as code and detections as code were accelerated by large corporations allowing their work to become public.
In the past, security enthusiasts built open source on the side, using their main job to finance this side “hobby”. Today, more and more open source founders are finding ways to focus on their creations full-time - whether it’s through designing business models that unlock revenue streams, signing up for GitHub sponsors and establishing partnership arrangements with corporations, or even getting hired by large companies such as Microsoft to work on open source.
Open source projects of the past had a distinct “open source look” and required a lot of effort to get started. Today, the user experience of many open source tools is indistinguishable from that of their commercial counterparts.
In this piece, I will attempt to analyze select aspects of the nuanced world of open source in cybersecurity. This article would not have been possible without the generosity of practitioners in the space willing and open to share their insights: Thomas Patzke of Sigma, Jose Enrique Hernandez of Splunk, Fredrik Oedegaardstuen of Shuffle, Bradley Kemp of Phish Report, and Shane Curran of Evervault. A special thanks to Adam Mashinchi, formerly Director of Open Source Programs and now Principal Product Manager at Red Canary for a deep dive into the complexity of the space, and for recommending Working in Public: The Making and Maintenance of Open Source Software by Nadia Eghbal - the best source to understand the basics and the dynamics of the open source.
Basics of open source in cybersecurity
Types of open source projects
There are no standard “models” for organizing open source projects. Most commonly, they fall under one of two buckets:
Projects driven by the individuals and teams that are loose. Projects of this type are generally started with little more except the desire to solve a problem and share the solution with others.
Projects released and maintained by companies. Projects of this type are started and maintained as a part of the strategic decision. A company has a set objective - get users to get started with a free version of the product, gain visibility in the open source community, or increase adoption of their other product offerings, to name a few.
The possibilities in open source are endless; one may even find “open source” tools gated behind the “get quote” call to action which arguably defeats the idea of open source to begin with.
Motivators & benefits to maintainers
Different people are driven by different factors. Some of the common motivators I’ve heard from open source founders and maintainers include:
The desire to share knowledge and help improve security. If a developer keeps their software under the hood - it will only be useful for them. Sharing the code with the broader community increases the chances that others will benefit from it as well, and the work a developer does will help secure more organizations.
For consultants and employees, participating in open source gives visibility and raises the perceived value in the job market. Companies are willing to pay more for top talent, and being an open source maintainer or founder gives the edge in negotiations. Lastly, it’s a great source of pride - it’s not uncommon for open source maintainers being asked to talk about their side projects during the job interview - something they are always happy to do.
Participating in open source is a great entry point to connect with people in the security community. Giving stuff away for free creates trust, and the more people trust you the more open they are to talk about their challenges, details of their incidents, and contribute back to the community.
Understanding that attackers consistently reuse and improve each other’s tools. For us to effectively defend ourselves, we have to also look for ways to learn together and improve the industry.
At times, contributing back to open source is a licensing condition. Under GPL, for instance, developers are expected to share back the code they changed.
How open source shapes the future of cybersecurity
Encouraging knowledge sharing
In the past few years, lines between open source and commercial products have started to blur. We see companies launching or buying open source projects and open source founders creating closed source, “premium” versions of their tools. Most importantly, we see that open source encourages knowledge sharing in the industry, thereby promoting best practices and making it easier for companies to harden their defenses.
An example of a company that contributes back to open source is Splunk. The Threat Research team at Splunk does their work publicly making it easy for other security professionals to see what they did, the attacks they launched, and how they arrived at the specific detection logic. Most importantly, the content of detections is not gated - if you are, say, a customer of Elastic - you can still use detections from Splunk (note that Elastic makes their rules available as well). Another tool - Splunk Attack Range - has over 1300 stars on GitHub, but rather than looking for ways to monetize it, Splunk sees the value of this project in supporting its vibrant, active community.
Splunk’s Threat Research team is also actively involved with another open source project - Red Canary’s Atomic Red Team. Since they write detections for Splunk, they also write the attacks.
Red Canary announced the Atomic Red Team (ART) back in 2017, making it easy for security professionals to test their organization’s defenses against the MITRE ATT&CK framework. ART cemented the Red Canary’s reputation as a leader in the topic. Red Canary is a managed detection & response (MDR) provider, and the best way to say “we know what attacks are going on” is to have the largest repository of the attacks. Additionally, Atomic Red Team enables Red Canary to test their own detections. Open sourcing the ART has allowed the industry to make an important step towards maturity and the vision of evidence-based security.
“Open source is an intellectual-property destroyer. I can't imagine something that could be worse than this for the software business and the intellectual-property business,'' former Windows chief Jim Allchin famously said in 2001. "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches," former Microsoft CEO Steve Ballmer told the Chicago Sun Times a few months after that. Today, two decades later, Microsoft’s Azure security team greatly contributes to open source as well, with repositories such as Microsoft Sentinel and Microsoft 365 Defender being great examples.
Open source makes it possible for security professionals to get access to analytics and threat intelligence cost-effectively. Open source threat intelligence tools like MISP, OpenCTI, OpenTAXII, and others help organizations identify, evaluate, monitor, and respond to the ever-growing number of cyber threats.
These informational resources are especially important for organizations that are just getting started with their threat intelligence instrumentation. However, open source feeds have their weak spots. Because open source intelligence tools are freely accessible, some threat actors may use this information to identify which vulnerabilities are not being prioritized by the community and take advantage of these exploits. The same is true for detection logic such as that provided by the Sigma community - while a great start, it should not be used without extending the coverage to better fit the organization’s security needs.
Accelerating the adoption of PLG in cybersecurity
Another interesting observation concerns the recent trend that has been transforming the way enterprise SaaS products are delivered and has now entered cybersecurity: product-led growth (PLG). I talk about PLG a lot, and earlier this year I identified over 150 products in cybersecurity that have embraced this strategy.
Product-led growth makes it possible for people to get started with a security product in minutes, without talking to a salesperson, attending mandatory demos, meeting minimum spend, and negotiating a contract. People can freely create an account, pay for what they use, and scale up or down their deployments as needed.
While PLG is positioned as an innovative approach to the way cybersecurity products are bought and sold, removing the emphasis from marketing and sales and giving power back into the hands of security professionals, the truth is that this is what open source has pioneered many years ago. The fact that security professionals are becoming more used to adopting open source tools on their own terms, is forcing traditionally sales-led vendors to build more open PLG products.
There are many similarities between PLG and open source, but they are not one of the same. While in both cases users can get started with the product on their own and use what they need on their own terms, product-led growth emphasizes short time to value - the amount of time it takes for people to get started and realize the value of the product. Traditionally, open source tools have required much more involvement for deployment, configuration, and fine-tuning the functionality before they could be used. This is starting to change with newer open-source products like Wazuh adopting a lot of the PLG practices. I think as we go into the future, the line between experiences offered by PLG and open source products is going to get thinner.
While open source has a lot to learn from PLG, particularly about shortening time to value, it also has a lot to teach it, especially around community-led growth. Open source cybersecurity projects have been incredibly successful in building communities of champions and evangelists which enabled them to grow using word of mouth and without spending a dime on traditional marketing.
Acting as a forcing function for the maturation of security
Cybersecurity is maturing as an industry. In the past, security used to be thought of as a tool problem: “what do I need to install to be safe”. Now it has evolved into more of a systematic belief or approach promoting the foundational layers of security: collect data into one place, look into it, understand what is happening in your organization, identify how to detect malicious behavior, and respond appropriately.
One of the ways the industry maturation manifests itself is in the move from promise-based to evidence-based security.
“Mature security professionals know that security is a process, not a feature. The best way to build a security posture is to build it on top of controls and infrastructure that can be observed, tested, and enhanced. It is not built on promises from vendors that must be taken at face value. This means that the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test and prove this. It also means that if you can describe something you want to detect and prevent, you should be able to apply it unilaterally without vendor intervention. For example, if a security engineer has read about WannaCry, they should have the ability to create their own detection logic without waiting a day or two until their vendor does a new release.” -
Source: Venture in Security
Open source gives security professionals full control over what happens in their environment. Empowered with this control, security teams are now starting to expect the same levels of control from commercial tooling which is slowly starting to look like infrastructure. Take products like LimaCharlie (security infrastructure as a service), Tines (security automation), SOC Prime (threat detection), GreyNoise (Internet background noise analysis), SCYTHE (attack emulation), and SafeBreach (continuous security validation platform), to name a few - they all look like building blocks of security, not like traditionally marketed and sold “products to keep the organization safe”.
Promoting standardization of security
As an industry, cybersecurity resists conformity which prevents us from building solutions that scale industry-wide. Open source is helping cybersecurity to establish common standards and approaches, facilitating interoperability between security tools.
MITRE ATT&CK®, an open framework for implementing cybersecurity detection and response programs developed by the MITRE Corporation, enabled the codification and standardization of knowledge for defenders. The creation of the Atomic Red Team, an open-source library of tests put the theoretical concepts of the MITRE ATT&CK® framework into practice, enabling organizations to quickly, portably, and reproducibly test their organization’s defenses.
With millions of downloads and hundreds of thousands of registered users, Snort has become the industry standard for intrusion prevention systems (IPS). Sigma has become a de-facto common language for cybersecurity detections; most Security information and event management (SIEM) providers at some point will have to support Sigma out of the box.
Developing common standards in security is something that companies shouldn’t fight - they should build on top of that and embrace it. As an industry, we all benefit from standardization as it allows us to build solutions that scale across markets and geographies.
Driving innovation in cybersecurity
Open source acts as a forcing factor for innovation in cybersecurity in two ways: by leveraging community intelligence and by forcing vendors to add more value to the ecosystem.
By tapping into collective intelligence, open source products are able to get a large number of intrinsically motivated people to collaborate on solving complex security problems - something that creates magic and brings novel ideas to life. Open source can fill the gaps in security products and initiate the creation of new capabilities needed to improve cyber defense.
Most importantly, open source forces vendors to build better products. In a world where for every solution there is an open source equivalent, commercial vendors need to innovate beyond the obvious. If they don’t add any value beyond what the community provides for free - they will very likely lose. Vendors need to continuously re-establish their value proposition, invest in research and development and attract the best talent to innovate on top of what’s available in the open source. Things like speed to market and customer service become differentiators: a customer has little incentive to wait three months for a bug to get fixed if it can be as simple as submitting a quick fix themselves.
As we go into the future, I hope that the value proposition for business in cybersecurity will evolve; there will be more pressure from the market to innovate, more transparency, and less “snake oil”.
Some of the most popular open source tools in cybersecurity (the list is not exhaustive)
Two big debates about open source in cybersecurity
Should we be open sourcing offensive tooling?
Open source in cybersecurity originated on the side of offense - building tools for attacks with BloodHound, Nmap, and Mimikatz being great examples. Breaking things collectively or competitively is easier and more fun, as we can see from the number of offensive capture the flag (CTF) competitions, conference talks, and so-called hacking villages which even today outnumber equivalent defense-focused events by a wide margin.
While tools like Mimikatz were built as capabilities for offense, we do see people on the defense side use them as well, most commonly to test the organization’s detection and response capabilities and simulate attacks. However useful for defense, offensive tools due to their nature cannot provide systematic, holistic defense, and as such only useful to identify gaps, not to remediate them. Most importantly, it is leveraged by cybercriminals to conduct attacks.
Should we be open sourcing defensive tooling? This topic is actively debated in the cybersecurity community. A good illustration of why this is important comes from Cobalt Strike - an adversary emulation tool designed for defensive teams to generate malware, test endpoints, run spear phishing campaigns, and more. Cobalt Strike emulates many adversarial techniques, including the sophisticated ones, in a pretty efficient way, allowing organizations to uncover gaps in their security coverage and address them before bad guys do. Cobalt Strike is often in the headlines as the product is powerful and hard to detect, making it one of the favorite tools of hackers. Together with Metasploit, a free and open source security tool now owned by Rapid7, Cobalt Strike accounted for a quarter of all malware command and control servers in 2020.
Recently, an open source equivalent of Cobalt Strike - Sliver - has been making headlines. Security researchers are warning about seeing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver to conduct attacks. The C2 Matrix provides a solid view into the quantity of Command & Control (C2) that have come into existence, and specifically how many of them are open source.
Whether or not open sourcing offensive security tooling is a good idea, is up for debate. Doing so indeed makes it easy for almost anyone to make malware and conduct attacks. I would, however, argue that making offensive security tooling open also makes it easy to be analyzed by the defense, which should enable security vendors to write solid detections and response logic. I believe making offensive tooling while benefiting the malicious actors, helps us strengthen our defenses and get ahead of the attackers.
Should we be open sourcing defensive tooling?
An extension of the offensive security tooling debate, a conversation about open sourcing defensive capabilities also has its merits. There are three parameters worth discussing: open sourcing vulnerabilities, open sourcing detections, and open sourcing defensive tools.
Let’s say a security professional finds a zero-day or reverse engineers a vulnerability patch and identifies a weakness. If they expose it publicly - they are essentially creating a race condition where hackers rush to exploit the weakness before the patch is released and deployed.
What if an attacker knows exactly what logic an organization is using to detect malicious behavior? It could allow them to find gaps and choose methods that bypass the detection. Repositories of detections such as Sigma, Splunk, or Elastic rules are available to anyone to analyze, reverse engineer, and find gaps.
A lot has been said about the risks of using open source tools in general. Open source cybersecurity software is not an exception as it opens the door to introducing vulnerabilities (intentionally or unintentionally) to those who use it. What if an attacker submits changes to the security product causing it to fail to detect or respond appropriately when the system in an organization using these products is subsequently breached?
I believe that the answer to the question if we should be open sourcing defensive tooling is a resounding yes.
Publicly exposing vulnerabilities enables security teams to eliminate them, harden the systems, and remove the possibility that someone else finds the gaps and exploits them later. To reduce risks, security professionals should be trying to first reach out to vendors privately, bringing their attention to important vulnerabilities without tipping off the attackers.
Publicly sharing detection logic enables defense security professionals to benefit from collective intelligence and to provide baseline security coverage for organizations with limited resources. It is then the job of the company’s security team to identify the gaps in this baseline coverage and extend it so that it can address unique risks and infrastructure in this particular organization.
Open sourcing defensive security tooling allows companies to lower the cost of defense, gain control over introducing the functionality they need without having to wait for months or years for the vendor to build it, and improves security for smaller organizations that lack the same resources and expertise that can be accessed by large enterprises. To reduce the risks that bad actors will subvert defensive tooling, open source cybersecurity projects must have a robust review and approval process for contributions.
Funding open source in cybersecurity
Traditionally, the most common way for open source projects to generate revenue has been education, customer support, dedicated development time, and consulting - helping companies to get up and running with the product, and later - use it effectively.
What is also quite common is for a company to contribute to open source as a side hustle, outside of their main focus. Companies that do this commonly provide a broad range of security services, not directly related or limited to their open source activity. Examples include Atomic Red Team by Red Canary, 365Inspect by Soteria, open source contributions by Recon Infosec, and IntelOwl born out of Certego's Threat intelligence R&D division and constantly maintained and updated thanks to them.
Sponsorships from companies
Sponsorships are one of many different ways in which companies can support open source cybersecurity products. Examples include Tines and LimaCharlie which both support several open source projects.
Generally, companies sponsoring an open source project get their logo listed in the project's README file, with a link to the company website. There is a strong debate in the open source community if corporate sponsorships should be acceptable. There is an argument that if a company sponsors open source, it is using it as a lead generation source, and that makes it morally wrong.
I believe that as long as a company sponsoring the project does not try to influence its direction in some covert ways, open source sponsorship is a net positive for everyone involved: the project maintainers get additional resources while the sponsor gets some visibility in the community.
Freemium model, generating revenue in-product & raising money from VCs
I believe that open source is evolving from being “a way software is built” into its own business model.
We are starting to see more open source cybersecurity tools offering a freemium model where customers pay more for scale, cloud hosting, or more advanced versions of the product. From relying on donations and sponsorship, open source founders are starting to design ways to generate revenue in a reliable way so that they can scale and grow their product as their main area of focus.
A great example is Shuffle Automation - an open source Security Orchestration, Automation, and Response (SOAR) solution. Like most open source founders, Fredrik, founder of Shuffle, wasn’t thinking about revenue sources at the beginning - the goal was to help people automate their security. After some time, he realized that to fully focus on the project, he needs to get paid.
As a technical security professional with no background in business, Fredrik started by setting up GitHub sponsors, only to realize that it cannot be seen as a sustainable source of income to work on Shuffle full-time. That’s where he started learning the ropes of business and business model generation. To have visibility into how people use the product, and to keep improving it, Fredrik chose the open source SaaS model. The outcome - a model where users get a fully-featured open source SOAR for free, and pay for scale once they need it. Taking this approach created the right incentive for him to get new users to scale soon, prompting the focus on user experience, easy onboarding, and documentation.
Going further, Fredrik decided to focus on what he calls the “creative community” - engineers and security professionals capable of building “connectors” with different security products. He wanted to enable others to make money, but not through the traditional reseller model. In the end, he came up with a creative revenue share model: instead of raising money, hiring the team, and building all the “connectors” and “workflows” for different security tools, he built an incentive structure where users can develop their own workflows and get paid when others use them. Shuffle revenue-share model is similar to that of YouTube - you can see what people are interested in, build for that, and get paid when somebody uses it.
Shuffle is a great example of new-generation thinking when building an open source cybersecurity product - one that is innovative, open to experimentation, and focused on giving back to the community. There are many more examples of freemium in open source. Phish Report, a tool that makes phishing incident response automation easy, also adopted a form of freemium. The product is available for free to educational institutions. Fleet, an open source telemetry platform for servers and workstations, has a hosted (premium) version with extra features, effectively making it a freemium offering as well.
Some open source projects go as far as to raise funding from VCs. In September 2022, open source password manager Bitwarden raised a $100M minority growth investment. Bitwarden is built on an open source codebase, which enables the users to fully inspect the inner workings of the platform (the self-hosted version is free, while the cloud-hosted version is not).
Open source acquisitions
The question of open source acquisitions is even more contentious than open source sponsorship. Is it morally okay to buy something built by a community of people? Who has the right to decide on the sale? Who should get compensated? This debate is both very important and very complex, and I am not the right person to discuss it. Instead, I would like to focus on what has been happening in cybersecurity.
Buying open source projects in cybersecurity is not rare. In 2013, Cisco acquired Snort. In 2019, F5 Networks acquired NGINX, an open source leader in application delivery. In 2020, Offensive Security, a company that specializes in information security training and certification, acquired open source security training resource hub VulnHub. In 2021, Rapid7 acquired open source incident response tool Velociraptor. In 2009, Rapid7 acquired open source hacking tool Metasploit (with several large open source acquisitions and multiple open source products built in-house, Rapid7 is arguably one of the leading cybersecurity vendors when it comes to involvement with the open source community, alongside Microsoft and Splunk).
There are many reasons an organization could buy an open source project. For some, it’s a way to expose a well-developed ecosystem of users to their paid offerings. For others, it’s an opportunity to generate revenue from paid versions of the tool (a case in point is a premium tier of the NGINX - a product owned by F5 since 2019).
Questions of morality of open source acquisitions notwithstanding, companies buying open source projects are generally able to allocate financial resources to their continued growth - something that is not always possible otherwise.
The ability of the company to buy the open source project is heavily dependent on the type of license. In some cases, the intellectual property might belong to the community making it hard or not legally possible to transfer the rights to the project. Open source licensing is a topic that deserves a separate deep dive. There are a multitude of cases when the official licensing requirements are bypassed after contact with the real world. One of the most interesting ones is the GPL license which requires anyone who uses and modifies code under GPL to open source the whole product back. While open source is (likely) heavily used by DoD and NSA professionals, they can use it however they want without any licensing challenges (with everything classified, no one is going to know what tools they used or expect disclosure).
Industry-wide open source initiatives
Efforts are underway to promote the use of open source in cybersecurity; the following are some of the organizations leading the efforts:
The Cyber Threat Alliance (CTA) established in 2014, is a non-profit organization that “works to enable near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field”.
The Open Cybersecurity Alliance (OCA), a project established in 2019, is “building an open ecosystem where cybersecurity products interoperate without the need for customized integrations”.
The Open Cybersecurity Schema Framework (OCSF), a project established in 2022, attempts to “help organizations detect, investigate and stop cyberattacks faster and more effectively”.
People starting open source projects are driven by the desire to help, give back, and pursue their passions. Projects that ended up defining a standard in the industry generally started as a side gig: Sigma, for example, began as a proof of concept, and only after its founders learned that it is being used in production - they started to take it seriously. Open source founders tend to identify important problem areas as they focus on the problem before and often instead of thinking of ways to monetize the solution. Those projects that turn into business commonly do so because founders want to find a way to work on them full-time, not because they are looking for a quick exit.
In cybersecurity, open source originated on the side of offense and building hacking tools to break into things. Some may argue that most offensive tools out there are open source, while both offensive and defensive tooling have to a large degree originated as open source in general. It is now time to put more emphasis on building out open source defensive capabilities. Having systematic, affordable, accessible, transparent, and dynamic defense tooling could level the playing field and reduce the number of cyber attacks we are seeing.
Every organization has different security needs and no SOC operates 100% the same. Open source lets security teams focus on the operation without spending much needed funds on features they don't need. Most importantly, open source lets security teams build their own customized tools right for their needs.
Open source is a powerful force that helps shape the future of cybersecurity, accelerating the move from promise-based to evidence-based security, the adoption of product-led growth in the industry, innovation, and establishment of common standards across the industry. The use of analytics and threat intelligence makes it easier for defenders to identify threats while sharing best practices increases the maturity of cybersecurity globally. Most importantly, it is pushing security forward quietly, and steadily, without driving unnecessary attention and overstating what it is capable of.
For those of you who have the means to do so - I would highly encourage you to support great open source tooling in cybersecurity (GitHub sponsors and tools like Ko-Fi make it very easy).
This was interesting. Thanks for taking a look at open source software's role in security. I'd like to mention that offensive security tools of any kind, whether open source or commercial, only benefit what I called the "security one percent." As a result, digital offense capabilities are currently net negative for the security ecosystem. If you're interested in reading more, these are my relevant posts: https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html and https://taosecurity.blogspot.com/2021/02/digital-offense-capabilities-are.html