By Paul Veeneman
Editor’s Note: Paul Veeneman (CISSP, CISM, CRISC, CMMC-RP) is a cybersecurity, risk management, and compliance professional with 27 years of experience providing knowledge and guidance across various verticals and critical infrastructure. The following article is an abstract from his guest presentation at Atomic OSSEC Conference 2023.
Why open source software and security?
Crowd-developed open source software comprises an estimated 70-90 percent of any given modern software application (and approximately 60 percent of the overall codebase). It provides the foundation for many server and cloud environments including containers and application clusters. Commercial software vendors, whose offerings are ‘technically’ derived from open source software, don’t always fully understand the vulnerabilities or expertise needed to secure the underlying open-source code.
Enter open source security. Open source security can be part of risk treatment and mitigation for today’s heterogeneous computing and communication systems.
Open source security application development is a passionate do-it-yourself community that pushes software to the next level, going beyond mainstream commercial software feature focus, enabling enterprises to identify vulnerabilities and intensify protective capabilities across their security architectures. Problem solving occurs earlier and with more vigor. The open source software patch can remediate specific vulnerabilities or be part of a more widespread and strategic plan to intelligently resolve software bill of materials or supply chain risk for greater defense in depth.
Open Source Enterprise Security Applications: The Benefits
It’s a myth that open source-based security is not enterprise ready . . . that open source means open season. Open source security is used in enterprise settings today, and adoption, integration and deployment of open source security occurs across the world, across different IT and OT applications. These often free yet advanced open source security rules and tools, including AI automated detection and response, provide much of the backbone for today’s:
- Intrusion prevention, e.g., the OSSEC Host Intrusion Detection System.
- Protocol analysis, sniffers, port scanning, wireless security, vulnerability identification and resolution.
- Audit controls and compliance with government and industry standards for security and data use.
- Integration into larger security solutions, or integration of different vendor security components and event feeds.
- Password cracking.
- Compliance with security requirements and standards such as NIST 800-171 and PCI DSS.
As you might expect, inevitably, the open source security developed solution is integrated into a commercial software offering.
So open source security can be evaluated as an organizational solution, building on commercial vendor defaults, and can enable organizations and DevSecOp teams to:
- Code and compose for a more defense-in-depth, risk mitigated endpoint and cloud workload protection architecture.
- Deploy security services to extend risk vigilance beyond compliance, using global threat intelligence, closing vulnerability gaps.
- Optimize open source software reliability and performance. When a commercial vendor is not fully supporting software anymore or no longer securing the kernel, open source security allows user security and operational control to flex native and deep.
- Cost-effectively boost security. Open source security is crowd developed, helpful to smaller security engineering teams. Software documentation, community support and learning services in open source security are plentiful for eager engineers.
As needs change, open source security enables your organization to remain vendor-independent and adapt and flex the security architecture. The ability to pick and choose the best security software they need for a specific project.
Due Diligence for Major Open Source Security Projects
There are initial considerations to open source security architectures.
The first is determining the rationale. Determine where open source security could be applied in your organization, and what are the cost benefits and risks associated with choosing to adopt or abstain.
Second, while open source security is evolving, internal customization is needed. Open source security software can be deployed to scale to support requirements long term. Many of the open source security software products today are modular and allow for distributed deployments. Ensure that you have the correct design considerations in place.
Lastly, open source security doesn’t come with a warranty or guarantee. It’s more internal control, responsibility, and independence for the IT security team. Ensure the organization has requisite personnel for support, or take advantage of the project’s community of support.
The SWOT Challenges of Open Source Security
The challenge of open source security architectures generally align with the challenges of open source software in general:
- Open source might become vulnerable due to its openness, where an organization is sharing open source code with a community, causing exposure and risk. But there is another way of looking at this, a scenario where the good hats in the community step up to help identify and plug your gaps and issues more proactively.
- Security engineering expertise is needed to implement open source security. Open source security requires expertise for the proper deployment and use of the software. To help, availability of documentation and actively updated open source rules are key. While, today, open source software is more easily being composed vs. coded, those composed results don’t always get the security updates from the original yet still active crowdsourced developers.
- Some open source security has to be licensed. If required, that’s manageable. Be sure to review the licenses for any restrictions on projects or modules so you get the most out of your open source security from a use and distribution perspective.
When choosing open source community sources, assess if code is available for common integrations, and if topics match projects you want to tackle with open source security. All in the spirit of giving back to the community.
Open source can be fine-tuned to provide interoperability or segmentation across commercial security components, so you have enterprise-wide data security management. Open source security engineers can get hosted services or technical support and training from third parties to ensure ongoing software performance, vulnerability testing, leading to sounder security and risk management.
Atomic OSSEC Conference 2023
Get the conference replay of Paul’s full presentation on The Benefits of Open Source Security.
Learn more about Paul Veeneman at https://www.linkedin.com/in/paulveeneman/
Read his article on NIST 800-171 compliance.
For an extra edge, training sessions enable open source security practitioners to more easily deploy advanced security and compliance functionality.
Check out the OSSEC community and Atomic OSSEC Support.
- Join the OSSEC community on Slack.
- Get additional open source security training and support via Atomicorp on Slack.