Up to now decade or so, open supply software program has change into a essential part of many corporations’ tech stacks. The proliferation of cloud computing and synthetic intelligence (AI) accelerated this pattern, making open supply initiatives corresponding to Kubernetes, TensorFlow, Jenkins, and OpenCV extra enticing to builders and infrastructure groups alike.
And safety operations aren’t any exception. Open supply software program has discovered its approach into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, and many others., are sometimes present in organizations’ arsenal of safety instruments. Open supply is now elementary to safety operations, and constructing, supporting, and utilizing open supply instruments is an integral a part of InfoSec tradition.
To raised monitor the proliferation of open supply software program in cybersecurity infrastructure and purposes, Andrew Smyth of Atlantic Bridge and I created The Open Supply Safety Index as a free useful resource for builders and safety engineers to search out and determine the very best open supply safety expertise. The index lists the highest 100 hottest and fastest-growing safety initiatives on GitHub. We emphasize quick rising as we consider fashionable safety operations are completely different from safety up to now, when most deployments occurred on-premises. As such, lots of the fast-growing OSS initiatives are newer initiatives designed for contemporary infrastructure environments.
To construct this index, we use the GitHub API to drag initiatives based mostly on tags and subjects, and manually added initiatives that lack labels. To constrain our scope, we restricted the search to initiatives which can be thought of direct safety instruments. People who have safety implications however fall extra into infrastructure capabilities, corresponding to Terraform, Elastic, Istio, and Envoy, aren’t included right here.
How We Ranked the Entries
As soon as we had the uncooked record, we ranked entries based mostly on an “Index Rating,” which is a weighted common of six metrics retrieved from GitHub. They embody:
- Variety of stars: 30%
- Variety of contributors (excluding bots and nameless accounts): 25%
- Variety of commits the challenge had within the final 12 months: 25%
- Variety of watchers: 10%
- Change within the variety of watchers over the past month: 5%
- Variety of forks: 5%
Primarily based on this scoring methodology, we record the highest 100 GitHub initiatives on the The Open Supply Safety Index web site. The index is an evolving, reside challenge. We’ll refresh the information month-to-month to maintain the record present.
Whereas the highest 25 record consists of acquainted instruments like Metasploit, Wireshark, and OS Question, there are additionally comparatively new entrants, corresponding to Cilium, Checkov, and Calico, which can be designed particularly for contemporary and cloud-native infrastructure.
Trying throughout the highest 25 record, just a few attention-grabbing traits emerge. They’re:
- Assault and red-team open supply instruments stay well-liked: Initiatives that present efficient assault and testing instruments are prominently positioned on the record. Metasploit, OSS Fuzz, Atomic Crimson Workforce, and Zap are just a few examples.
- Safety for contemporary infrastructure is gaining recognition: In contrast to conventional safety utilities, initiatives corresponding to Cilium, Trivy, Calico, and Sysdig have gotten more and more well-liked. These initiatives are designed to work with newer, cloud-native infrastructure, corresponding to Kubernetes, containers, and microservices. The truth that these initiatives are listed among the many hottest reveals that cloud computing is now mainstream with safety operations.
- Automation and “as-code” workflow utilities have emerged: It is also value noting that initiatives that allow automation and “as-code” workflows have additionally appeared within the prime record. As an illustration, Nuclei, a challenge that focuses on vulnerability-management-as-code, is a fast-growing challenge utilized by bug researchers, purple groups, and defenders. Sigma is one other challenge that permits automation and sharing of assault detection strategies.
We consider that the evolution of open supply safety (OSS) will observe the identical trajectory as enterprise infrastructure in embracing OSS fashions. An rising variety of safety practitioners select open supply as a elementary technique due to its extensibility, flexibility, and transparency of implementation. As well as, refined safety groups have adopted the “shift-left” mindset, the place managing safety insurance policies and operations is like managing “code.” To this finish, an open supply technique offers a transparent benefit in contrast with the standard approach of growing and deploying proprietary software program artifacts.
We created this index as a result of we had a difficult time discovering an excellent, consultant record of open supply safety initiatives. Though imperfect, this index represents a place to begin to construct a structured and complete record of significant open supply instruments for safety practitioners to contemplate. We labored with many open supply creators to construct this record, and we welcome suggestions at @OSecurityIndex.
