Open Source Is Taking Over Security
Open source is taking over the world. I’m sure you don’t need me to convince you about that, since it’s completely obvious as a statement. And because you are reading this on The New Stack, it is also likely obvious to you that software is experiencing a tectonic shift toward Kubernetes that is comparable in magnitude and importance to what we witnessed in the last 25 years with Linux.
Linux schedules processes on computers. Initially, it only ran on desktops, but it gradually expanded to virtually every area of computing, from cell phones and tiny edge devices to the biggest supercomputers in the world. Kubernetes schedules containers in data centers. Initially, it only ran in your own data center, but it gradually expanded to many other places, including the edge and all of the cloud providers. Open source, at this point, is everywhere. And of course, it is not limited to operating systems and container orchestrators as it includes web servers, databases, networking. It is hard to find an industry that is not driven by open source.
There is only one exception: security. Other than a handful of really cool tools, the security industry has historically lagged in open source adoption, often maintaining a proprietary approach. In particular, most of the big security vendors are only tangentially involved in open source and, it appears, only when they must. There were 12 talks at KubeCon+CloudNativeCon this year tagged as “Security + Identity + Policy,” but representation from the big security vendors is missing.
I argue that, despite having a lower penetration of open source, security is the industry that benefits the most from an open source approach. I also argue that open source will gradually take over and become the standard way to do security.
Why is open source the best way to do security?
Simply put: speed of innovation. A distributed, coordinated ecosystem operating on top of agreed common standards will beat a single vendor operating behind closed doors. Hands down, 100% of the time.
The rise of a widely adopted and open computing platform like Kubernetes has a big impact on this. On one hand, Kubernetes and cloud native have such a fast innovation pace that it’s hard for a vendor to keep up by itself. On the other hand, thanks to Kubernetes, for the first time we have a completely open platform to run our applications, where security can be natively integrated rather than being bolted on top. Adding security-related functionally to Amazon Web Services is hard — and likely unnatural — unless you are Amazon. Doing the same in Kubernetes is a matter of joining a SIG, making a reasonable proposal and working with the community to get it merged. In the process, you will receive valuable feedback from other vendors and potential users.
Open source will gradually take over and become the standard way to do security.
Which brings me to another reason why open source increases the speed of innovation: it empowers end users to work with vendors. Users of any size and level of sophistication can provide feedback in a tight loop and they can also contribute. Rule-based engines like Falco (of which I’m one of the creators) and the Open Policy Agent are excellent examples: you don’t need to be a hardcore developer to contribute to Falco, you can just contribute a rule and you will help a whole community. The intrinsically fragmented nature of vulnerabilities and threats makes this bazaar-oriented approach to contributing very effective.
In addition, friction can be reduced with the proper governance. For example, the fact that Falco and OPA are owned by the Cloud Native Computing Foundation (CNCF) instead of being controlled by a single vendor makes end users more comfortable with contributing. It also makes vendors in the space confident that they can build products on top of them.
This creates a virtuous cycle: vendors standardize on common policy languages and APIs, which further enables contribution, which causes more users to add value, which speeds up innovation.
Will open source become the standard way to do security?
Yes, it will, there is no escape. In the end, cybersecurity is a battle between the bad guys and the good guys. The army of the bad guys is big, smart and aggressive. And the deck is stacked in their favor.
The good guys’ best chance of succeeding? Working together, as a team, leveraging each other’s strength, making sure that no energy is wasted. A plethora of competing standards championed by many different vendors is not the optimal way to achieve that goal. A much better approach consists of leveraging a common set of standards that are deeply integrated in the platform, owned by the community, driven by consensus, on top of which all of the players can confidently innovate.
So commercial security vendors will go extinct?
Not at all! Open source doesn’t mean that commercial products will not exist. Actually, as cybersecurity keeps growing in importance, I predict that the industry will keep thriving and generating big winners. But the next generation of winners will have a different approach: they will work with the community. They will leverage the functionality offered by the platform, to which they will actively contribute, instead of reinventing the wheel and keeping it for themselves. They will work with their users as partners and find ways to maximize their contributions.
How am I sure this will happen?
It is actually happening.
My first company, CACE Technologies, was the business behind Wireshark, a free and open source packet analyzer used by millions. I started the company in 2005. At that time, open source was mostly based on “taking inspiration” from commercial products to implement similar solutions that would be free and developed in an open way.
Look, on the other hand, at the bleeding edge in Kubernetes security today: Falco, Anchore, Calico, OPA, Istio, and so on… Innovation starts in the community and great companies are built on top of it.
The future is already here. And, I bet, is here to stay.
Amazon Web Services, The Cloud Native Computing Foundation and KubeCon+CloudNativeCon are sponsors of The New Stack.