Public and private cybersecurity partnerships are approached with great caution, and the idea of open source development within these partnerships takes it a step further, especially in the case of cybersecurity. The biggest risks for businesses include cyber-attacks, which were ranked 4th on the 2020 World Economic Forum Regional Risks for Doing Business Interactive Map.
On the other hand, many companies and government agencies have found ways to fight against this ever-growing threat, specifically in the field of open source development. For example, the recent ANSSI (French National Cybersecurity Agency) partnership with Luatix, a cybersecurity and crisis management non-profit, had quite a large impact on the future of government open source technology. This partnership includes the agency’s involvement in project management, product roadmaps, etc. with the products offered by Luatix.
In addition, the US government has taken major steps towards open source cybersecurity technology. For example, HOST (Homeland Open Security Technology) is a project which receives funds through the Science and Technology Directorate, and promotes the idea of open source software, the majority of it being in the field of cybersecurity. The project has undoubtedly received media coverage and attention, along with winning the Open Source for America 2011 Government Deployment Open Source Award. HOST has invested in many open source projects such as Suricata, an intrusion prevention and detection system by Open Security Foundation (OSF).
So, why? Why open source, especially in a sensitive field like cybersecurity?
In today’s era, it’s more important than ever that code is secure. Open source aids in this, specially through platforms like GitHub which create a more organized environment for open source development, as the more fresh perspectives that are given to code the easier it is to find vulnerabilities and ensure that they get fixed. The same concept can be applied to many other fields of cybersecurity, such as bug bounties. Although most companies spend time on making sure that only selective penetration testers are hired to conduct assessments on a company’s network, bug bounties aid in making networks far more secure by allowing hackers to find different vulnerabilities in the services a company has to offer. In exchange, these bug bounty hunters get money, otherwise known as a bounty based on the severity of the bug and its impact.
Many platforms, like HackerOne, have emerged which offer a huge community of experienced bug bounty hunters to test your company’s assets, either through public or private programs. These companies set the severity ranging from critical to low of any of their assets and list which ones are in and out of scope, otherwise meaning if they are eligible to be resolved and possibly rewarded, or not. Other platforms that require an intensive application process are also ones that utilize the concept of crowdsourcing to achieve optimum results.
Public agencies have been setting up bug bounty or simple disclosure programs for years, and it’s only getting better. As of January 29 2021, the US Department of Defense has the highest number of resolved reports on HackerOne to date, totaling a staggering 12912 resolved reports ever since its launch in November 2016. The concept of incentive-driven programs in cybersecurity is available everywhere, and not only in specific crowdsourcing platforms. For example, multiple universities and companies launch independent programs, which have begun to gain more traction over the years.
However, what do incentivized programs and open source development have in common with each other? They take into use an entire community in order to reach their respective goals, be it through following an incentivized workflow or not.
All of this goes to show that crowdsourcing is definitely key and goes back to the concept of open source development. It’s quintessential that corporations use the large community of programmers and security researchers available to their advantage, to not only secure their code but make the world a more open space. Knowledge must be shared for it to expand with the help of a community, and this is exactly what open source does.