Open source security is the future

Security practitioners today face a near-impossible task of bringing order to a technology landscape in which the problem space is accelerating beyond the reach of the available solutions. Most enterprise networks are already well out of control, and the situation will get much worse. Tackling this dilemma is arguably the greatest technology challenge that we face.

Today’s response is inadequate. We need solutions that are rich and scalable enough to secure our intellectual assets across an increasingly complex, virtual infrastructure. And I use the term “intellectual assets” deliberately to make the point that it’s more than just information that we need to secure. It’s also ideas, know-how, trust, relationships, information flows and reputations. This problem space is far bigger than the one we currently address.

The effort and scale required to conceive, build and maintain such solutions is enormous. As Homeland Security Secretary Michael Chertoff’s pointed out at this year’s RSA Conference, it’s no less than a Manhattan project for cyberspace. And in the current financial climate that’s likely to put it beyond the capabilities of governments, academia and technology vendors.

In fact the real answer lies with people. Networks provide the lever to harness the efforts of a global community. Open source research and development is the vehicle we need, though it remains an esoteric media for most traditionalists. How do we go about it? What’s the secret? In fact, it’s not that difficult, though it does require special individuals.

A few days ago I met up with Marty Roesch, founder of Sourcefire, the highly rated IPS/IDS product family, and SNORT, the de facto standard for open source intrusion detection. It’s always a privilege to meet Marty. He’s one of the nicest, brightest, most enthusiastic technologists on the security scene. And he has a stunning track record of building both a visionary product and a hugely successful business underpinned by open source development. His products also continue to stay ahead of the solution space.

What’s the secret behind this? What does it take to build an open source community? In fact, it’s simple according to Marty, you just cut great code, establish a central contact point and then, most importantly, answer your emails. He’s right. The process is simple, though it takes a special kind of person to pull it off.

Some people claim it’s luck. I disagree. So-called lucky people view the world differently. They spot and grasp opportunities that others fail to see. We need more of these special people, though, there’s no reason, of course, why we could not teach ourselves to be so lucky.