Making Security an Open Source Community Affair
Amazon Web Services (AWS) sponsored this post.
For more than 100 years we’ve lionized individual inventors — those who toil away in relative obscurity until the lightning bolt idea hits. Then, bam! Marie Curie gives us insight into radioactivity. Or Thomas Edison makes the incandescent light bulb a commercial reality. Or any number of inventors that have shaped our lives for good, (often) one patent at a time.
Which is great, and we should show gratitude for such inventors, but that’s not really how some of our best innovation happens today.
Too often we conflate invention with innovation, despite the fact that — as HackerOne CEO Marten Mickos has argued — “there is a world of difference between invention and innovation.” How so? “Most inventions never make it into the hands of consumers or into the use of society.”
For every life-changing patent by Edison, there are thousands that clog national patent offices — either doing no good or actively blocking other inventions. Innovation, by contrast — and particularly community-driven innovation — is almost by definition useful from the start, because the community shapes the innovation to suit real-world needs.
How does this work? I’m glad you asked.
It Takes a Community
No matter the institution — whether school, company, government, or other — you can’t possibly employ all the people you’d like to. This is a principle, attributed to Bill Joy, co-founder of Sun Microsystems, that underpins community-led innovation. Joy, speaking of the company’s Java strategy, said, “[T]he smartest people in the world don’t all work for us. Most of them work for someone else. The trick is to make it worthwhile for the great people outside your company to support your technology. Innovation moves faster when the people elsewhere are working on the problem with you.”
When Joy said this in the 1990s, open source wasn’t really a thing. Yes, Linus Torvalds was fiddling with Linux and Brian Behlendorf and others were kickstarting the Apache HTTP Server, but it wasn’t until 1998 that the term “open source” was even coined.
Today, however, open source is more than a clever phrase — it describes the way much of the world’s most important, and most innovative, software gets created. “Open source,” however, also describes software that may have the appropriate license, but doesn’t have the benefit of a community powering it.
I’ve written about why community-led open source is the most productive, and most useful open source software. But, really, it comes down to the Joy principle. The smartest developers don’t work for you. As such, you need to find ways to corral the talents and insights of others outside your firewall.
Making Security a Community Affair
Given how much time Mickos spent running open source companies, including MySQL AB and Eucalyptus, it’s not surprising that he’d figure out a way to apply open source principles to other areas like security. HackerOne runs bounty programs to focus whitehat hackers on resolving complex software security issues. The driving force behind HackerOne’s model is the Joy Principle: No company can hire enough developers to cover their security needs.
Or, as Mickos says,
A whitehat — as they are called to distinguish them from criminal blackhats — possesses curiosity and creativity that widely exceeds that of any man-made system or tool. Trying to solve the problem within the organization did not work. Opening up and sharing the problem with the whole world instantly produced a viable solution, a solution that scales infinitely. This is the key innovation of HackerOne. A new dimension of performance was created, not by an invention of one or a few deep experts, but by farming out the problem to the entire world. Innovation is endless when you leverage the creativity and diversity of humankind at scale.
In a separate article that Mickos shared with me (but hasn’t yet published), he notes, “Every organization will have temporary needs for specialized human abilities, but no organization will be able to permanently employ all of them.”
By leveraging a community that transcends any particular employer, we open ourselves to broad, diverse insights and approaches to solve security (and countless other business) problems. In security, as he goes on to argue, “There is no software or in-house team of experts that can measure up against the breadth of skills and creativity of a seemingly randomly assembled group of hackers.”
Tapping into the Open Source Community
As mentioned before, this same principle applies to open source software development. According to Mickos, “No company needs the world’s best experts all the time, but all companies need them some of the time.” In software, many of those experts choose to express their talents through open source contributions.
Though it’s hard to capture an exact number of open source developers, SlashData recently surveyed over 16,000 developers and found that nearly 60% contribute to open source software projects.
This jibes with results from the Stack Overflow survey of over 90,000 developers, which found that roughly 65% of developers surveyed contribute to open source projects.
If we assume 60% of developers want to dedicate at least some of their time to open source, and measure this against the total number of developers in the world, there is a massive pool of developers available to help. How massive? Well, SlashData puts the total number of developers at 19 million (13 million of whom are professionals). GitHub has set the number higher, at 40 million. But even 10 years ago there were 10 million MySQL users, and this is just one project, which could mean the global developer population is multiples of that.
At the low end of developer population estimates, we get a ballpark number of 7.8 million to 11.4 million open source contributors. If we take the higher estimates, we’re wading through tens of millions of potential contributors to a given open source project.
Too high? Even assuming 10% (heck, take 1%) of the lowest population numbers yields an incredible pool of developers that together contribute to well over 100 million open source projects on GitHub and elsewhere.
As Bill Joy points out, there’s zero chance you can hire all those people. With community-driven open source, you don’t have to.
Feature image via Pixabay.