Developers Will Lead the Way in Securing Open Source
The three apps I use most often on my phone are Google Inbox, Slack and Uber. Even if you are different than me, and use Facebook, Twitter or Pinterest, I’m pretty sure we are both drawn to these apps largely as a result of the great craftsmanship of software engineers.
The developers of these apps have created experiences that make us reopen them over and over again, sometimes multiple times per hour. It’s hard to generalize about what has contributed most to the creation of these addictive services, but there are two tools that have been instrumental to most developers – open source and DevOps. Both allow engineers to build software with speed, precision and lower unit costs; and therefore ship better software faster.
The developers of these apps have created experiences that make us reopen them over and over again, sometimes multiple times per hour. It’s hard to generalize about what enables a craftswoman to create addictive services, but there are two tools that have been instrumental to most developers – open source and DevOps. Both allow engineers to build software with speed, precision and lower unit costs; and therefore ship better software faster.
While at Index we are big proponents of open source (and investors in Hortonworks, Confluent, Nginx, Minio, Elastic and others), all the upsides of open source and DevOps should not blind companies to one potentially critical downside: if not managed properly, building software with open source presents a new form of a security risk.
When a technology like open source becomes so mainstream that it underpins software in almost every industry from retail to financial services to media, it’s bound to attract the attention of cyber criminals. Be they nation states, criminal syndicates or individual hackers, these attackers are targeting open source components that appear in much of today’s software. They only need to find a vulnerability once to compromise every other piece of software that used that code. DevOps further amplifies the prevalence of common denominators, as new and old versions of open source are released at increasing rates. Vulnerabilities such as Heartbleed and Shellshock are just two very visible examples of this.
Despite all the buzz, selling solutions directly to chief security officers of Fortune 1000 companies is set to get harder. Even though adversary economics leads to higher numbers of attacks, and the investment dollars that have gone into security startups have created an army of sales and marketing people, the number of decision-makers in the CSO’s office is static. As a result, I expect 90% of security companies with traditional business models to experience longer sales cycles and smaller deal sizes.
The need for a new security approach to enabling safe use of open source and DevOps, combined with a different opportunity to sell, brought us a year ago to a conversation with Mark Curphey, co-founder and CEO of SourceClear. Unlike many security companies who are trying to target CSOs, SourceClear works inside the developer's workflow and with the team’s existing tool-chain, uncovering vulnerabilities before they are released. We’ve seen this approach work with SourceClear’s early adopters across the defense, finance, technology and retail industries -- and that’s why we are leading SourceClear’s Series A round, announced today.
It’s clear that the answer to the security concerns around open source will be developer-led. That’s the only way we will safely be able to enjoy the services to which we’ve become so addicted in our daily lives.