The Power of Open-Source Security: A Deep Dive

The Power of Open-Source Security: A Deep Dive
March 24, 2023
Author:

The Power of Open Source - with Nick Reva – Snap’s Head of Corporate Security Engineering

Open-source software (OSS) is increasingly becoming foundational to security strategies for cutting-edge security teams. In a recent webinar hosted by Sandeep Lahane, co-founder and CEO of Deepfence, Nick Reva, Snap’s Head of Corporate Security Engineering shared his insights on the role of open source in security programs and how leaders and companies like Snap strategize and use open-source security solutions.

In this blog, we’ll summarize some of the major topics discussed in the webinar and provide additional insights for readers looking to adopt open source into their security programs.

The Role of Open Source in Security Programs

Open source solutions offer many advantages, such as low-level observability, scalability, no vendor lock-in, and attracting better talent. He shared an example of how Snap implemented open-source Falco for runtime monitoring, emphasizing the importance of understanding the code to manage risk effectively.

Operationalizing security at scale is an engineering problem, not a compliance issue, and open source enables hiring top talent directly from platforms like GitHub. Additionally, open source promotes extreme ownership and craftsmanship within the team and global community, as everyone can see and collaborate on the code.

The Difference between Good and Great Security

Security is fundamentally an engineering problem, and great security often involves building in-house solutions or adopting an open-source build culture. Using Snap as an example, Nick described how they have created a system for managing AWS permissions for thousands of engineers, focusing on abstracting complexity and providing a clear process.

Relying solely on vendor tools can be like hoarding. Organizations should be more intentional about their security vendor choices, knowing why they’re building or using specific tools. Open-source solutions can be more flexible and adaptable, as seen in the example of Snap adding Arm-64 support for Falco by contributing to the open-source repo. The conversation then turned to the appropriate level of investment in security engineering and the potential of open-source tools for businesses of different sizes.

Challenges of Adopting Open Source for Security

When scaling an open-source program, it may not be possible to allocate 10% of the engineering team to security from the start. Nick recommends starting with one or two experienced engineers familiar with open-source projects and similar company cultures. By choosing a reliable open-source product with a strong community and support, organizations can achieve impressive results and save money.

Managing Open-Source Licenses

Managing open-source licenses is important for compliance, and there are tools available that can scan repositories to ensure compliance with licensing terms. An intentional strategy when adopting open-source solutions, including vetting projects and licenses with legal before using them, helps mitigate risks and ensures a better understanding of the chosen solutions.

Building Secure Cloud-Native Services

Foundational controls are essential for building a secure cloud-native security program. The four pillars are measuring the attack surface, developing a way to measure what comes in, what goes out, and what changes, observing runtime signals and their interaction with the attack surface, and ensuring that observability is maintained throughout the system.

Partner Evaluation Process

The conversation pivoted to how a top-tier engineering team would evaluate an open-source project from a startup’s perspective. Key factors to consider include:

  1. Identifying the problem to solve and comparing build vs. buy options.
  2. Assessing the project’s legitimacy in the market, adoption rate, number of feature requests or pull requests and the engagement of its support community.
  3. Considering the project’s longevity and the possibility of forking the project to create a custom iteration.
  4. Ensuring the open-source project is at least as good as or better than closed-source alternatives, or that it is open enough for customization.
  5. Evaluating the quality of the project, including aspects like the quality of alerts and the number of integrations available.

Managing Cloud Security at Internet Scale

Open source is an effective strategy for managing cloud security at Internet-scale companies. An open-source strategy promotes extreme ownership and craftsmanship within the team, attracts top talent, contributes back to the community, and allows for hiring software engineers into security roles. By combining open-source with a freemium model, startups can cater to skeptics, build a revenue pipeline, and enhance the enterprise version over time.

Deepfence’s Role in Cloud Native Security

Deepfence provides enterprise features in open-source projects for cloud security. Combining open-source with a freemium model raises the overall standard in cloud security and can lead to a gradual shift in the demand and supply curves of cloud security. Post-deployment observability is crucial to monitor for potential threats during runtime, even after pre-deployment measures have been taken. Solutions like Falco or Deepfence provide an observability layer at the kernel level, inspecting syscalls and detecting abnormalities. It’s important to graduate from pre-deployment to post-deployment observability as part of a mature security strategy.

Salient Cloud Security Advice

In this section, Nick shares advice for the audience based on his experiences in the cybersecurity industry:

  1. Be a lifelong student: Embrace intellectual curiosity and never stop learning and have a growth mindset. This industry is fast-paced and dynamic, so continuous learning is essential for success.
  2. Teach others: Once you reach a certain level, help to evangelize and build up the next generation by sharing your knowledge and experience. When you teach, you master a topic.
  3. Practice servant leadership: Focus on supporting your team and removing yourself from the critical path, by empowering your team to lead and allowing them to grow and become better.
  4. Solve for the boring stuff first: Address the foundational security controls such as hardening, monitoring, and observability to make them strong and mature before moving on to more advanced tools that the vendors may want to sell you. This strategic approach is crucial for building a strong security program.
  5. Build relationships and pay it forward: Develop a network of supporters in the industry and give back by speaking at events, writing blogs, or teaching.

OSS Evaluation Considerations

For the builders, when deciding between an open-source point solution for a specific use case or a broader open-source platform, consider defining your strategy, evaluating solutions, and choosing the solution that best meets your requirements and aligns with your overall strategy. When upgrading from an open-source to an enterprise version of a product, consider the market demand, enterprise needs, product differentiation, and monetization strategy.

Conclusion

Open-source software is increasingly becoming an essential part of security strategies for modern security teams. It provides many advantages, including low-level observability, scalability, no vendor lock-in, and attracting top talent. In this blog post, we summarized some of the significant topics discussed in the webinar hosted by Sandeep, co-founder and CEO of Deepfence, and Nick, Snap’s Head of Corporate Security Engineering, on the role of open-source in security programs.

Nick emphasized the importance of an engineering-driven approach to security and the difference between good and great security. Relying solely on vendor tools can be like hoarding, and organizations should be intentional about their security choices. Adopting open-source solutions can be flexible and adaptable and can save organizations money.

While there are challenges to adopting open source for security, such as managing open-source licenses and scaling open-source programs, it is essential to have an intentional strategy and choose reliable open-source products with a strong community and support.

Lastly, building secure cloud-native services requires foundational controls, including measuring the attack surface, observing runtime signals and their interaction with the attack surface, and ensuring that observability is maintained throughout the system.

In summary, the use of open-source software in security programs is becoming more common, and companies like Snap are using it to achieve impressive results. By adopting an engineering-driven approach to security, organizations can build more robust and effective security programs, save money, and attract top talent.

You can listen to the entire webinar and interview now. Don’t miss our next webinar panel of industry experts from Google, Snap, and Deepfence where they discuss Kubernetes security risks and attack vectors and share their best practices for detecting and responding to threats in these complex environments.