In the previous decade or so, open supply software program has turn into a essential element of many firms’ tech stacks. The proliferation of cloud computing and synthetic intelligence (AI) accelerated this pattern, making open supply tasks similar to Kubernetes, TensorFlow, Jenkins, and OpenCV extra enticing to builders and infrastructure groups alike.
And safety operations are not any exception. Open supply software program has discovered its manner into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, and so on., are sometimes present in organizations’ arsenal of safety instruments. Open supply is now basic to safety operations, and constructing, supporting, and utilizing open supply instruments is an integral a part of InfoSec tradition.
To higher monitor the proliferation of open supply software program in cybersecurity infrastructure and purposes, Andrew Smyth of Atlantic Bridge and I created The Open Source Security Index as a free useful resource for builders and safety engineers to search out and establish the very best open supply safety know-how. The index lists the highest 100 hottest and fastest-growing safety tasks on GitHub. We emphasize quick rising as we imagine fashionable safety operations are totally different from safety previously, when most deployments occurred on-premises. As such, lots of the fast-growing OSS tasks are newer initiatives designed for contemporary infrastructure environments.
To construct this index, we use the GitHub API to drag tasks primarily based on tags and subjects, and manually added tasks that lack labels. To constrain our scope, we restricted the search to tasks which can be thought-about direct safety instruments. Those which have safety implications however fall extra into infrastructure capabilities, similar to Terraform, Elastic, Istio, and Envoy, will not be included right here.
How We Ranked the Entries
Once we had the uncooked checklist, we ranked entries primarily based on an “Index Score,” which is a weighted common of six metrics retrieved from GitHub. They embody:
- Number of stars: 30%
- Number of contributors (excluding bots and nameless accounts): 25%
- Number of commits the mission had within the final 12 months: 25%
- Number of watchers: 10%
- Change within the variety of watchers over the past month: 5%
- Number of forks: 5%
Based on this scoring methodology, we checklist the highest 100 GitHub tasks on the The Open Source Security Index web site. The index is an evolving, stay mission. We will refresh the info month-to-month to maintain the checklist present.
While the highest 25 checklist contains acquainted instruments like Metasploit, Wireshark, and OS Query, there are additionally comparatively new entrants, similar to Cilium, Checkov, and Calico, which can be designed particularly for contemporary and cloud-native infrastructure.
Looking throughout the highest 25 checklist, just a few fascinating traits emerge. They are:
- Attack and red-team open supply instruments stay standard: Projects that present efficient assault and testing instruments are prominently positioned on the checklist. Metasploit, OSS Fuzz, Atomic Red Team, and Zap are just a few examples.
- Security for contemporary infrastructure is gaining reputation: Unlike conventional safety utilities, tasks similar to Cilium, Trivy, Calico, and Sysdig have gotten more and more standard. Those tasks are designed to work with newer, cloud-native infrastructure, similar to Kubernetes, containers, and microservices. The incontrovertible fact that these tasks are listed among the many hottest exhibits that cloud computing is now mainstream with safety operations.
- Automation and “as-code” workflow utilities have emerged: It’s additionally value noting that tasks that allow automation and “as-code” workflows have additionally appeared within the high checklist. For occasion, Nuclei, a mission that focuses on vulnerability-management-as-code, is a fast-growing mission utilized by bug researchers, purple groups, and defenders. Sigma is one other mission that allows automation and sharing of assault detection strategies.
We imagine that the evolution of open supply safety (OSS) will observe the identical trajectory as enterprise infrastructure in embracing OSS fashions. An rising variety of safety practitioners select open supply as a basic technique due to its extensibility, flexibility, and transparency of implementation. In addition, subtle safety groups have adopted the “shift-left” mindset, the place managing safety insurance policies and operations is like managing “code.” To this finish, an open supply technique offers a transparent benefit in contrast with the standard manner of creating and deploying proprietary software program artifacts.
We created this index as a result of we had a difficult time discovering a superb, consultant checklist of open supply safety tasks. Although imperfect, this index represents a place to begin to construct a structured and complete checklist of significant open supply instruments for safety practitioners to contemplate. We labored with many open supply creators to construct this checklist, and we welcome suggestions at @OSecurityIndex.