Open Source Cybersecurity: Towards a Democratized Framework
This post was previously published on The New Stack
Today, anyone can contribute to some of the world’s most important software platforms and frameworks, such as Kubernetes, the Linux kernel or Python. They can do this because these platforms are open source, meaning they are collaboratively developed by global communities.
What if we applied the same principles of democratization and free access to cybersecurity? In other words, what if anyone could contribute to security initiatives and help build a cybersecurity culture without requiring privileged access or specialized expertise?
To explore those questions, it’s worth considering the way that open source has democratized software development and comparing it to the potential we stand to realize by democratizing security.
Although the connection between open source software and democratized security only goes so far, thinking from this angle suggests a new approach to solving the cybersecurity challenges that have become so intractable for modern businesses.
So, let’s take a look at how open source democratized development and what it might look like to do the same thing for security.
Open Source and the Democratization of Software Development
Until the origin of GNU and the Free Software Foundation in the mid-1980s, no one thought of software as something that anyone could help design or create. Instead, if you wanted to build software, you needed membership in an elite club. You generally had to be a credentialed, professional programmer, and you typically had to have a job that put you in a position to create software.
GNU began to change this by allowing volunteers to build software, like the GNU C compiler, that eventually became massively important across the IT industry. Then, in the early 1990s, the advent of the Linux kernel project changed things even more. The Linux kernel was created by an undergraduate, Linus Torvalds, whom no professional programmer had ever heard of. If a twenty-something non-professional Finnish student could create a major software platform, it was clear that anyone could.
Today, anyone still can. You don’t need a special degree or professional connections to contribute to a platform like Kubernetes, as thousands of independent programmers do. Nor do today’s users need to rely on a handful of elite programmers to write the software they want to use. They can go out and help write it themselves via participation in open source projects. (Of course, the big caveat is that you need special skills to write open source software. But we’ll get to that point later.)
As a result of this democratization of development, it has become much easier for users to obtain the software they’d like to use, as opposed to the software that closed-source vendors think they should use. Open source has also turned out to make software development faster, and it tends to lower the overall cost of software development.
Towards an Open Source Cybersecurity Framework
Now, imagine what would happen if the world of cybersecurity were democratized in the way that software development has been democratized by open source.
It would create a world where security would cease to be the domain of elite security experts alone. Instead, anyone would be able to help identify the security problems that they face, then build the solutions they need to address them, just as software users today can envision the software platforms and features they’d like to see, then help implement them through open source projects.
In other words, users wouldn’t need to wait on middlemen — that is, the experts who hold the reins — to build the security solutions they needed. They could build them themselves.
That doesn’t mean that security experts would go away. They’d still be critical, just as professional programmers working for major corporations continue to play an important role alongside independent programmers in open source software development.
But instead of requiring small groups of security specialists to identify all the cybersecurity risks and solve them on their own, these tasks would be democratized and shared across organizations as a whole.
The result would be a world where security solutions could be implemented faster. The solutions would also more closely align with the needs of users, because the users would be building them themselves.
And security operations would likely become less costly, too, because the work would be spread out across organizations instead of being handled only by high-earning security professionals.
The Differences Between Open Source and Security Democratization
It’s important, of course, not to overstretch the analogy between open source democratization and security democratization. In particular, there are two main differences between these concepts.
One is that, whereas open source software can be built and shared by communities at large, security is something that is mostly used only internally. The security workflows that users might define using security democratization tools would only apply inside their own companies, rather than being shared with users at large.
The other, bigger limitation is that it takes special skills to build software. While it’s possible for non-coders to contribute to open source projects by doing things like writing documentation or designing artwork, most contributions require the ability to code.
In contrast, security democratization doesn’t have to require specialized security skills on the part of users. By taking advantage of no-code tools that let anyone define, search for and remediate security risks, businesses can democratize their security cultures without having to teach every employee to be a cybersecurity expert.
What this means is that, although it may seem far-fetched at first glance to democratize security, the means for doing so — no-code automation frameworks — are already there. They just need to be placed in the hands of users.
Over the course of a generation, the open source software movement radically transformed the way software is built. Although plenty of closed-source code continues to exist, programmers today can contribute to critical software platforms that operate on an open source model without requiring special connections or credentials. The result has been software that better supports users, and that takes less time and money to build.
Businesses can reap similar benefits in the realm of security by using no-code security automation tools to democratize their approach to security. When anyone can define security requirements and implement tools to meet them, security becomes more efficient, more scalable and better tailored to the needs of each user or group.