In the previous ten years or so, open up source software has come to be a critical ingredient of lots of companies’ tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this development, building open up source tasks these kinds of as Kubernetes, TensorFlow, Jenkins, and OpenCV additional desirable to builders and infrastructure groups alike.
And protection functions are no exception. Open source software package has uncovered its way into cybersecurity engineering and functions. Snort, OpenSSL, Yara, Wireshark, etc., are usually uncovered in organizations’ arsenal of security resources. Open source is now fundamental to stability functions, and creating, supporting, and working with open up resource tools is an integral element of InfoSec tradition.
To much better monitor the proliferation of open up source software package in cybersecurity infrastructure and purposes, Andrew Smyth of Atlantic Bridge and I designed The Open Source Protection Index as a free of charge source for builders and security engineers to discover and detect the most effective open supply safety technological know-how. The index lists the top 100 most well-liked and swiftest-growing protection initiatives on GitHub. We emphasize quick expanding as we believe that fashionable security operations are different from safety in the past, when most deployments transpired on-premises. As this sort of, a lot of of the rapid-increasing OSS jobs are more recent initiatives intended for contemporary infrastructure environments.
To create this index, we use the GitHub API to pull initiatives dependent on tags and matters, and manually additional initiatives that absence labels. To constrain our scope, we minimal the look for to jobs that are regarded direct stability tools. These that have security implications but tumble far more into infrastructure abilities, such as Terraform, Elastic, Istio, and Envoy, are not included below.
How We Rated the Entries
At the time we experienced the uncooked checklist, we ranked entries based mostly on an “Index Score,” which is a weighted typical of six metrics retrieved from GitHub. They include:
- Quantity of stars: 30%
- Variety of contributors (excluding bots and anonymous accounts): 25%
- Variety of commits the job had in the last 12 months: 25%
- Quantity of watchers: 10%
- Improve in the number of watchers over the very last month: 5%
- Quantity of forks: 5%
Dependent on this scoring methodology, we list the major 100 GitHub jobs on the The Open up Supply Stability Index site. The index is an evolving, stay project. We will refresh the data month-to-month to maintain the checklist recent.
Though the major 25 record consists of familiar equipment like Metasploit, Wireshark, and OS Question, there are also relatively new entrants, such as Cilium, Checkov, and Calico, that are designed especially for present day and cloud-indigenous infrastructure.
On the lookout across the best 25 record, a several interesting trends emerge. They are:
- Attack and crimson-team open resource instruments continue being popular: Initiatives that provide powerful assault and tests instruments are prominently positioned on the list. Metasploit, OSS Fuzz, Atomic Pink Crew, and Zap are a several examples.
- Security for contemporary infrastructure is attaining attractiveness: Compared with regular protection utilities, projects this sort of as Cilium, Trivy, Calico, and Sysdig are starting to be increasingly common. Those people jobs are designed to operate with newer, cloud-native infrastructure, this sort of as Kubernetes, containers, and microservices. The fact that these assignments are detailed among the most preferred reveals that cloud computing is now mainstream with stability operations.
- Automation and “as-code” workflow utilities have emerged: It is also well worth noting that tasks that permit automation and “as-code” workflows have also appeared in the prime record. For occasion, Nuclei, a job that focuses on vulnerability-management-as-code, is a speedy-developing task applied by bug scientists, red teams, and defenders. Sigma is a different undertaking that permits automation and sharing of attack detection techniques.
We believe that that the evolution of open up source protection (OSS) will stick to the very same trajectory as enterprise infrastructure in embracing OSS types. An expanding quantity of security practitioners choose open source as a essential tactic simply because of its extensibility, flexibility, and transparency of implementation. In addition, refined protection groups have adopted the “change-still left” attitude, where by managing safety insurance policies and functions is like handling “code.” To this stop, an open supply approach presents a very clear gain in contrast with the conventional way of developing and deploying proprietary software artifacts.
We designed this index due to the fact we experienced a demanding time acquiring a very good, agent list of open up resource protection assignments. Although imperfect, this index represents a beginning stage to create a structured and comprehensive checklist of significant open up resource equipment for stability practitioners to take into consideration. We labored with many open up resource creators to make this list, and we welcome feed-back at @OSecurityIndex.