Open-source software (OSS) is increasingly becoming foundational to security strategies for cutting-edge security teams. In a recent webinar hosted by Sandeep Lahane, co-founder and CEO of Deepfence, Nick Reva, Snap’s Head of Corporate Security Engineering shared his insights on the role of open source in security programs and how leaders and companies like Snap strategize and use open-source security solutions.
In this blog, we’ll summarize some of the major topics discussed in the webinar and provide additional insights for readers looking to adopt open source into their security programs.
Open source solutions offer many advantages, such as low-level observability, scalability, no vendor lock-in, and attracting better talent. He shared an example of how Snap implemented open-source Falco for runtime monitoring, emphasizing the importance of understanding the code to manage risk effectively.
Operationalizing security at scale is an engineering problem, not a compliance issue, and open source enables hiring top talent directly from platforms like GitHub. Additionally, open source promotes extreme ownership and craftsmanship within the team and global community, as everyone can see and collaborate on the code.
Security is fundamentally an engineering problem, and great security often involves building in-house solutions or adopting an open-source build culture. Using Snap as an example, Nick described how they have created a system for managing AWS permissions for thousands of engineers, focusing on abstracting complexity and providing a clear process.
Relying solely on vendor tools can be like hoarding. Organizations should be more intentional about their security vendor choices, knowing why they’re building or using specific tools. Open-source solutions can be more flexible and adaptable, as seen in the example of Snap adding Arm-64 support for Falco by contributing to the open-source repo. The conversation then turned to the appropriate level of investment in security engineering and the potential of open-source tools for businesses of different sizes.
When scaling an open-source program, it may not be possible to allocate 10% of the engineering team to security from the start. Nick recommends starting with one or two experienced engineers familiar with open-source projects and similar company cultures. By choosing a reliable open-source product with a strong community and support, organizations can achieve impressive results and save money.
Managing open-source licenses is important for compliance, and there are tools available that can scan repositories to ensure compliance with licensing terms. An intentional strategy when adopting open-source solutions, including vetting projects and licenses with legal before using them, helps mitigate risks and ensures a better understanding of the chosen solutions.
Foundational controls are essential for building a secure cloud-native security program. The four pillars are measuring the attack surface, developing a way to measure what comes in, what goes out, and what changes, observing runtime signals and their interaction with the attack surface, and ensuring that observability is maintained throughout the system.
The conversation pivoted to how a top-tier engineering team would evaluate an open-source project from a startup’s perspective. Key factors to consider include:
Open source is an effective strategy for managing cloud security at Internet-scale companies. An open-source strategy promotes extreme ownership and craftsmanship within the team, attracts top talent, contributes back to the community, and allows for hiring software engineers into security roles. By combining open-source with a freemium model, startups can cater to skeptics, build a revenue pipeline, and enhance the enterprise version over time.
Deepfence provides enterprise features in open-source projects for cloud security. Combining open-source with a freemium model raises the overall standard in cloud security and can lead to a gradual shift in the demand and supply curves of cloud security. Post-deployment observability is crucial to monitor for potential threats during runtime, even after pre-deployment measures have been taken. Solutions like Falco or Deepfence provide an observability layer at the kernel level, inspecting syscalls and detecting abnormalities. It’s important to graduate from pre-deployment to post-deployment observability as part of a mature security strategy.
In this section, Nick shares advice for the audience based on his experiences in the cybersecurity industry:
For the builders, when deciding between an open-source point solution for a specific use case or a broader open-source platform, consider defining your strategy, evaluating solutions, and choosing the solution that best meets your requirements and aligns with your overall strategy. When upgrading from an open-source to an enterprise version of a product, consider the market demand, enterprise needs, product differentiation, and monetization strategy.
Open-source software is increasingly becoming an essential part of security strategies for modern security teams. It provides many advantages, including low-level observability, scalability, no vendor lock-in, and attracting top talent. In this blog post, we summarized some of the significant topics discussed in the webinar hosted by Sandeep, co-founder and CEO of Deepfence, and Nick, Snap’s Head of Corporate Security Engineering, on the role of open-source in security programs.
Nick emphasized the importance of an engineering-driven approach to security and the difference between good and great security. Relying solely on vendor tools can be like hoarding, and organizations should be intentional about their security choices. Adopting open-source solutions can be flexible and adaptable and can save organizations money.
While there are challenges to adopting open source for security, such as managing open-source licenses and scaling open-source programs, it is essential to have an intentional strategy and choose reliable open-source products with a strong community and support.
Lastly, building secure cloud-native services requires foundational controls, including measuring the attack surface, observing runtime signals and their interaction with the attack surface, and ensuring that observability is maintained throughout the system.
In summary, the use of open-source software in security programs is becoming more common, and companies like Snap are using it to achieve impressive results. By adopting an engineering-driven approach to security, organizations can build more robust and effective security programs, save money, and attract top talent.
You can listen to the entire webinar and interview now. Don’t miss our next webinar panel of industry experts from Google, Snap, and Deepfence where they discuss Kubernetes security risks and attack vectors and share their best practices for detecting and responding to threats in these complex environments.