When public clouds first came into existence, cloud providers had to educate organizations using their products and services about the shared responsibility model – basically, the notion that the cloud service provider (CSP) is responsible for the security of the cloud, and customers are responsible for the security of what they put in the cloud (such as applications and data). However, Deepfence firmly believes that the shared responsibility model is not merely two-sided and that security vendors and the security community play a shared role in securing the world’s most sensitive data and applications – a role that goes beyond making a profit and creating alert fatigue for security professionals.
Meanwhile public cloud spend is approaching $400B per year, and there is still not a single open source tool or platform that can visualize multiple clouds and all cloud native modalities. What works for K8s, does not work for serverless and so on. If you cannot observe your environment, you cannot secure it.
We dream of a better future — a shared security model, if you will, between the security community and vendors that create a framework, and an equitable starting point for defense against today’s and tomorrow’s threat landscape.
In the shared security model, the security community demands:
In return, security vendors promise to:
By working together towards a future where these statements are truly put into practice, the security industry can keep pace with the explosion of threats to our applications and the supply chain. We must bring together parties from across the community to harness their wisdom and forge a collective response. That necessitates an open source model.
Open source is eating the world, with one exception: cybersecurity. Sure, there are many cybersecurity platforms aimed at securing open source applications, but there has been a gaping hole where open cybersecurity platforms should be.
Most modern applications are the result of free, open, collaborative efforts. It makes sense, then, that cybersecurity should be rooted in the collective expertise of the community – and, with today’s non-stop barrage of new attacks, the community’s collective energy and wisdom.
Indeed, the real power of an open source cybersecurity platform is that it is available to all – not just large enterprises or companies with a deep cybersecurity bench – and that it benefits from the contributions of all. An open cybersecurity platform also plays an important role in educating users – security experts or not – on the importance of securing applications from development, through production and beyond.
The ascent of open source has not been without its bumps. We’ve seen a 146% increase in ransomware attacks on Linux, and manufacturing has replaced financial services as hackers’ top target as they shift their attention to IoT, according to X-Force Threat Intelligence Index.
The software supply chain used by developers is leaving the systems that they build vulnerable to a wide variety of attacks. Synopsis found 78% of source code used by applications were from open source, and reckons 81% of that code contains at least one vulnerability. Attackers are weaponizing those vulnerabilities, with the software supply chain serving as an avenue for attack for two-thirds of companies, according to a 2022 report from Anchore.
Securing the software supply chain will take a cyber defense of comparable scale and breadth. The foundations of such a defense must also be community based – and that means open source.
With the launch of ThreatMapper 1.4, Deepfence is defining and doing our part in fulfilling the shared security model. We call upon the cybersecurity community to come together to build a better common defense.
While cloud-native environments themselves are built on the backs of OSS tools and frameworks, the security products designed to protect these environments have remained largely in the domain of enterprise security companies. These vendors have held back foundational security tooling and actionable, prioritized security alerting from the security community. This changes now.
Foundational security is a basic right and a common good. We imagine a world where day zero needs like vulnerability management, cloud security posture management, malware detection, secret scanning and ANY other tool that helps users measure what is attackable is free, open to the public, and driven by community-contributed security intelligence.
Amid a constantly evolving threat landscape across clouds, environments, infrastructure modalities, and attack vectors, enterprise security vendors have built a never-ending series of better mouse traps that do little more than let customers know that a threat exists or could exist. These solutions provide alerts in siloed, disparate systems. Worst of all, they merely highlight what could go wrong, with no context for likelihood or impact. And, as the threat landscape grows scarier and ever-closer to home, vendors have been able to convince customers to buy additional modules and features: VMDR for vulnerability detection, CWPP for cloud workload protection, CSPM for cloud mis-configurations, AV for malware detection, … the list goes on – and on.
Yet despite these multiple layers of products and add-ons, we are still seeing headlines such as “Log4j: The Pain Just Keeps Going and Going,” “Just Because You Don’t See Hackers, Doesn’t Mean They Are Not In Your Network,” and “Why There is No Quick Fix to Cyber Attacks.”
There is no end in sight to attacks affecting our cloud-native infrastructure, either through the supply chain that we have all become so dependent on, or through taking advantage of the lack of visibility companies have within closed ecosystem tools, that do not integrate nor effectively share data. Traditional security tools not only aren’t helping, they may be actively hurting by compounding the problems of alerts without context, and companies lacking in security time, money, and resources.
It has become apparent that there is a missing piece of the puzzle for security professionals trying to effectively defend against the threats and threat actors that have exploded exponentially over the years.
Security observability is that missing piece of the puzzle, and ThreatMapper 1.4 is the first open source security platform on the market to:
This empowers organizations to not only identify threats but also to determine how – and how quickly – to deal with them. In a globally connected environment in which a single vulnerability can put untold numbers of organizations and their customers at risk (think Log4j), a platform like ThreatMapper is critical.
ThreatMapper generates an actionable ThreatGraph for cloud-native environments by scanning for vulnerabilities, cloud misconfigurations, exposed secrets, and malware. By layering the results of these scans with runtime context about the workload, cloud configuration, and, most importantly, live network traffic, organizations can prioritize their risk.
Open source ThreatMapper 1.4 is truly an industry first. There is no other project, open source or commercial, that applies these comprehensive features and capabilities across the cloud-native continuum.
Specifically, ThreatMapper 1.4 includes the following new features, launching today:
ThreatMapper 1.4 enables organizations to find and rank potential threats, such as the Log4j2 vulnerability, so security teams can make informed decisions and shore up critical gaps that may have otherwise gone unnoticed. This builds on the advanced security tools in Deepfence ThreatMapper 1.3, such as secret scanning at runtime and runtime Software Bill of Materials (SBOM), protecting not only individual organizations but also our ever-more-interconnected society as a whole.
ThreatMapper 1.4 is 100% open source and available on GitHub. We encourage you to download it today to begin working toward a more open and secure future. Visit our Deepfence Community website to collaborate on democratizing cloud-native security for all.