In the past decade or so, open up source program has turn into a essential element of several companies’ tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this pattern, making open up resource assignments these types of as Kubernetes, TensorFlow, Jenkins, and OpenCV more interesting to developers and infrastructure teams alike.
And security operations are no exception. Open supply application has found its way into cybersecurity engineering and functions. Snort, OpenSSL, Yara, Wireshark, and so forth., are often found in organizations’ arsenal of safety equipment. Open up source is now essential to safety operations, and developing, supporting, and applying open supply equipment is an integral element of InfoSec lifestyle.
To superior observe the proliferation of open up supply software in cybersecurity infrastructure and purposes, Andrew Smyth of Atlantic Bridge and I established The Open Supply Security Index as a no cost useful resource for developers and security engineers to discover and detect the very best open resource stability technology. The index lists the leading 100 most preferred and swiftest-escalating stability projects on GitHub. We emphasize fast developing as we believe modern security functions are diverse from stability in the previous, when most deployments transpired on-premises. As these kinds of, many of the fast-increasing OSS initiatives are newer initiatives made for modern day infrastructure environments.
To develop this index, we use the GitHub API to pull tasks based on tags and subject areas, and manually additional projects that absence labels. To constrain our scope, we restricted the look for to assignments that are regarded immediate safety tools. These that have safety implications but tumble more into infrastructure capabilities, these types of as Terraform, Elastic, Istio, and Envoy, are not provided in this article.
How We Rated the Entries
When we experienced the uncooked record, we ranked entries dependent on an “Index Score,” which is a weighted average of 6 metrics retrieved from GitHub. They consist of:
- Variety of stars: 30%
- Number of contributors (excluding bots and anonymous accounts): 25%
- Selection of commits the venture had in the last 12 months: 25%
- Amount of watchers: 10%
- Modify in the quantity of watchers around the final month: 5%
- Variety of forks: 5%
Primarily based on this scoring methodology, we listing the prime 100 GitHub initiatives on the The Open Source Stability Index web site. The index is an evolving, dwell venture. We will refresh the facts monthly to retain the list existing.
Even though the top rated 25 checklist consists of common instruments like Metasploit, Wireshark, and OS Query, there are also fairly new entrants, these kinds of as Cilium, Checkov, and Calico, that are developed precisely for modern-day and cloud-native infrastructure.
On the lookout throughout the leading 25 checklist, a couple fascinating developments arise. They are:
- Assault and red-group open up source resources continue to be popular: Assignments that provide helpful assault and tests instruments are prominently positioned on the listing. Metasploit, OSS Fuzz, Atomic Red Group, and Zap are a few examples.
- Security for fashionable infrastructure is gaining attractiveness: Contrary to traditional protection utilities, jobs this sort of as Cilium, Trivy, Calico, and Sysdig are becoming ever more well known. Individuals initiatives are designed to do the job with newer, cloud-indigenous infrastructure, these as Kubernetes, containers, and microservices. The reality that these projects are outlined between the most popular shows that cloud computing is now mainstream with stability operations.
- Automation and “as-code” workflow utilities have emerged: It can be also value noting that initiatives that help automation and “as-code” workflows have also appeared in the best record. For occasion, Nuclei, a challenge that focuses on vulnerability-administration-as-code, is a quick-expanding job applied by bug scientists, purple teams, and defenders. Sigma is a further undertaking that allows automation and sharing of assault detection strategies.
We consider that the evolution of open up resource safety (OSS) will comply with the exact same trajectory as organization infrastructure in embracing OSS models. An rising amount of security practitioners pick out open up supply as a fundamental approach since of its extensibility, overall flexibility, and transparency of implementation. In addition, subtle safety teams have adopted the “change-remaining” state of mind, wherever taking care of safety insurance policies and operations is like running “code.” To this finish, an open up source system presents a distinct advantage compared with the regular way of building and deploying proprietary software artifacts.
We made this index due to the fact we experienced a difficult time obtaining a excellent, agent record of open source safety projects. While imperfect, this index signifies a setting up level to establish a structured and extensive record of meaningful open supply tools for stability practitioners to take into consideration. We worked with numerous open up resource creators to establish this record, and we welcome comments at @OSecurityIndex.