Open source is a double-edged sword for information security.
On the one hand, security professionals rely on countless open source security software tools, frameworks, and data and intelligence sharing platforms to carry out their work.
On the other hand, attackers have access to the same tools. In addition, open source software, both in security operations and elsewhere in the data center, can itself pose security risks.
The importance of open source tools
According to a survey released late last month, by Aqua Security, most security professionals are in favor of using open source security software and tools.
In the survey of 100 CISOs at Fortune 1000 companies, 70% said that open source security solutions offered a faster way to secure their environments, and 78% said that they offered the latest and greatest innovations in cloud security.
"Open source permeates the data center," said Mike Parkin, cyber engineer at Vulcan Cyber. "If you're using tools to monitor your data center – a lot of those are open source. I was a penetration tester, and there are tons of open source tools in that world."
Parkin suggested that to familiarize yourself with the subject, one resource to start with is OWASP's list of free open source application security tools.
The SANS Institute also has a collection of open source security tools built by its instructors, he added.
The downside to using open source security software is that support might not be readily available, he said. Smaller, niche tools might have small user communities and few third-party experts ready to step in and help.
Others, however, have vendors standing behind them.
"There are a fair number of businesses out there whose entire business model is built around helping to deploy, maintain and service a particular open source project," Parkin said. "If you're using a purely open source project, that level of commercial-grade support isn't there. That means you'll need some in-house talent who's comfortable and capable in maintaining an open source tool."
Vulcan Cyber publishes its own list of open source tools for cyber risk assessment and mitigation.
Security testing firm Bishop Fox also has another list of open-source tools, this one specifically around ransomware, with pros and cons of each tool.
Security frameworks and information sharing
The MITRE ATT&CK framework developed by the non-profit MITRE Corporation is widely acknowledged as the gold standard in cybersecurity.
"It's a knowledge base of all the things that hackers would typically do," said Derek Rush, managing consultant at Bishop Fox.
ATT&CK is currently the most effective framework we have, he told Data Center Knowledge. "It covers tactics, techniques, and procedures, with specifics of each attack and indicators of compromise."
The MITRE Corporation is also one of the backers of the CVE list, which is sponsored by the US Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency. Its mission is to identify, define and catalog publicly disclosed cybersecurity vulnerabilities – it currently catalogs more than 175,000 common vulnerabilities and disclosures.
The CVE program has more than 200 participants, including the Apache Software Foundation, Apple, Google, IBM, Intel, Microsoft, Red Hat, and Zero Day Initiative.
Another valuable resource for security professionals is the MISP open source threat intelligence product.
There are other industry and governmental groups for sharing threat information, Rush said: "Mature organizations take the approach that sharing is caring. If we can share how we got compromised, we can prevent other organizations from being compromised."
Organizations benefit greatly when threat intelligence is crowdsourced and shared across the community, said Sanjay Raja, VP of product at Gurucul.
"This can provide immediate protection or detection capabilities," he said. “While reducing the dependency on vendors who often do not provide updates to systems, for weeks or even months.”
"These platforms allow for the real-time exchange and consumption of automated, machine-readable feeds," explained Isabelle Hertanto, principal research director in the security and privacy practice at Info-Tech Research Group.
This steady stream of indicators of compromise can help security teams respond to network security threats, she told Data Center Knowledge.
In fact, the problem isn't the lack of open source threat intelligence data, but an overabundance, she said. To help data center security teams cope, commercial vendors are developing AI-powered solutions to aggregate and process all this information.
"We see this capability built into next generation commercial firewalls and new SIEM and SOAR platforms," Hertanto said.
She also expects such services to be offered by managed security service providers.
Open source security threats
According to Synopsys' 2021 open source security and risk analysis report, 98 percent of enterprise software projects, both internal and commercial, contain some open source code.
"Pretty much any software originated in open source somewhere, '' said Prakash Sutheraman, CISO at CloudBees, an enterprise software delivery company.
CloudBees itself is the originator of Jenkins, the dominant software delivery lifecycle automation tool.
Open source software can be vulnerable, Sutherman said. Many people believe that open source is secure because anyone can look at the code and examine it for vulnerabilities. But that doesn't mean that people do.
Take the recent Log4j vulnerability, for example.
"I haven't come across anyone who can explain to me how Log4j actually works, who's looked through the source code," Sutheraman said. "Nobody looked at the package. They just assumed it was fine."
Smaller packages with few maintainers are particularly problematic. Attackers can use a variety of methods to try to inject malicious code into the software.
"But with most of the major packages, like Jenkins for example, there are a lot of checks and balances," he said. "We have dedicated security specialists to make sure that Jenkins is safe. That's true of most major open source projects. They take security very seriously."
Any enterprise software could potentially become the entry point for an attack. But when security software is used for this purpose, the threat is magnified because security tools are typically granted access to highly sensitive areas and systems.
Of course, it's not just open source security software that's targeted by attackers. SolarWinds – which suffered from a major exploit in 2020, resulting in thousands of its customers getting breached – was a commercial network security product. So avoiding open source does not guarantee security.
Instead, data centers should practice basic hygiene when it comes to their use of open source software, including open source security tools.
"The first question should be discovery," said Moshe Zioni, VP of security research at Apiiro, a company that helps security teams manage open source vulnerabilities. "Nobody really knows what's in use. Then, what kinds of risks are we taking, and how do we measure this risk?"
For example, he said, companies could consider how well a particular open source tool is being maintained, or set up a registry of approved software packages.
Few companies have the resources to review and rate all possible open source software packages that could be used in their environments. It would be useful to have a public risk scoring system for open source software, similar to a credit rating.
"There are several being discussed," Zioni said. "OpenSSF is trying to do exactly that, to assess open source package risks."
Last Thursday, OpenSSF, the Linux Foundation, CISA, NIST, and other groups met in Washington, D.C. and announced a $150 million plan to secure open source software.
"It’s rare to see industry competitors, government, and diverse open source ecosystems all come together for the common good," said Brian Fox, OpenSSF governing board member and CTO at Sonatype. "It shows how massive a problem we have to solve in securing open source."
Amazon, Ericsson, Google, Intel, Microsoft and VMware have collectively pledged over $30 million for the effort.
"No one entity can solve it alone," Fox told Data Center Knowledge.