Prior to now decade or so, open supply software program has change into a important element of many corporations’ tech stacks. The proliferation of cloud computing and synthetic intelligence (AI) accelerated this development, making open supply tasks akin to Kubernetes, TensorFlow, Jenkins, and OpenCV extra engaging to builders and infrastructure groups alike.
And safety operations are not any exception. Open supply software program has discovered its means into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, and so forth., are sometimes present in organizations’ arsenal of safety instruments. Open supply is now basic to safety operations, and constructing, supporting, and utilizing open supply instruments is an integral a part of InfoSec tradition.
To raised monitor the proliferation of open supply software program in cybersecurity infrastructure and purposes, Andrew Smyth of Atlantic Bridge and I created The Open Supply Safety Index as a free useful resource for builders and safety engineers to seek out and establish one of the best open supply safety expertise. The index lists the highest 100 hottest and fastest-growing safety tasks on GitHub. We emphasize quick rising as we imagine trendy safety operations are totally different from safety previously, when most deployments occurred on-premises. As such, most of the fast-growing OSS tasks are newer initiatives designed for contemporary infrastructure environments.
To construct this index, we use the GitHub API to tug tasks primarily based on tags and subjects, and manually added tasks that lack labels. To constrain our scope, we restricted the search to tasks which might be thought-about direct safety instruments. Those who have safety implications however fall extra into infrastructure capabilities, akin to Terraform, Elastic, Istio, and Envoy, are usually not included right here.
How We Ranked the Entries
As soon as we had the uncooked checklist, we ranked entries primarily based on an “Index Rating,” which is a weighted common of six metrics retrieved from GitHub. They embody:
- Variety of stars: 30%
- Variety of contributors (excluding bots and nameless accounts): 25%
- Variety of commits the venture had within the final 12 months: 25%
- Variety of watchers: 10%
- Change within the variety of watchers during the last month: 5%
- Variety of forks: 5%
Based mostly on this scoring methodology, we checklist the highest 100 GitHub tasks on the The Open Supply Safety Index web site. The index is an evolving, dwell venture. We are going to refresh the info month-to-month to maintain the checklist present.
Whereas the highest 25 checklist consists of acquainted instruments like Metasploit, Wireshark, and OS Question, there are additionally comparatively new entrants, akin to Cilium, Checkov, and Calico, which might be designed particularly for contemporary and cloud-native infrastructure.
Wanting throughout the highest 25 checklist, just a few fascinating traits emerge. They’re:
- Assault and red-team open supply instruments stay standard: Initiatives that present efficient assault and testing instruments are prominently positioned on the checklist. Metasploit, OSS Fuzz, Atomic Crimson Staff, and Zap are just a few examples.
- Safety for contemporary infrastructure is gaining recognition: In contrast to conventional safety utilities, tasks akin to Cilium, Trivy, Calico, and Sysdig have gotten more and more standard. These tasks are designed to work with newer, cloud-native infrastructure, akin to Kubernetes, containers, and microservices. The truth that these tasks are listed among the many hottest reveals that cloud computing is now mainstream with safety operations.
- Automation and “as-code” workflow utilities have emerged: It is also value noting that tasks that allow automation and “as-code” workflows have additionally appeared within the prime checklist. As an example, Nuclei, a venture that focuses on vulnerability-management-as-code, is a fast-growing venture utilized by bug researchers, purple groups, and defenders. Sigma is one other venture that allows automation and sharing of assault detection strategies.
We imagine that the evolution of open supply safety (OSS) will observe the identical trajectory as enterprise infrastructure in embracing OSS fashions. An growing variety of safety practitioners select open supply as a basic technique due to its extensibility, flexibility, and transparency of implementation. As well as, subtle safety groups have adopted the “shift-left” mindset, the place managing safety insurance policies and operations is like managing “code.” To this finish, an open supply technique gives a transparent benefit in contrast with the normal means of creating and deploying proprietary software program artifacts.
We created this index as a result of we had a difficult time discovering a very good, consultant checklist of open supply safety tasks. Though imperfect, this index represents a place to begin to construct a structured and complete checklist of significant open supply instruments for safety practitioners to contemplate. We labored with many open supply creators to construct this checklist, and we welcome suggestions at @OSecurityIndex.