Building in the open, again

As promised in a few of my previous posts, I wanted to write more not only about my career until now, but about where I'm going next – and why I chose this particular course over any other. I want to avoid burying the lede too much, so I'm thrilled to announce that I'm joining ProjectDiscovery as Head of Community.

As the makers of projects like nuclei, subfinder, naabu, and many, many more – PD already has a remarkable community. PD is on a mission to bring security to everyone—and their vision for doing that aligns directly with mine: allow everyone to contribute. For too long, security engineering and other critical cybersecurity practices have been dominated by large proprietary software vendors. We've grown too complacent to just spend a lot of money on security tools that might as well be a black box that says, “make me secure please” that we feed money into and hope that we are more protected. All of that limits the speed of innovation in space that needs speed more than perhaps any other.

This is a pattern we've seen before – and one that I don't believe allows for long-term success in the modern world. In a world where every company is a software company, and all of those organizations rely on more and more software to bring value to their customers, we've already seen that the old-school model of security is failing us. I don't even want to make yet-another-list of famous breaches and why “traditional” security failed us in those cases…that's a blog post that's been written thousands of times by now. Instead, I want to focus on what the future could look like in a world where we build security together, in the open.

Open always wins

Open always wins

While not entirely true in all instances, I have a strong belief that in broad enough problem sets there is no way to “win” with old-school proprietary systems. Systems built in that world are limited by the capital, cognition, and creativity of a very limited set of practitioners—those working inside a given organization.

Open source, on the other hand, doesn't have these constraints. It allows entire industries to bring to bear on issues their collective experience and expertise. This scales in a way that you simply cannot reproduce with any real meaningful scale by raising venture capital and trying to hire the “smartest” people you can. And it allows it to scale faster than any company can alone

More eyes don't just make all bugs shallow—they bring pathways for bugs that you just wouldn't otherwise be able to conceive of, faster than you'd ever get there on your own. We've seen this in DevOps in the last 10 years or so. It hasn't been something that's successfully solved inside of one company, it's something that industry has had to choose to work together on in open source projects, DevOps Days, and communities of practice. Simply trying to create “DevOps” inside your company is not only hard to impossible, but it's also a tremendous waste of resources. You shouldn't have your teams working on undifferentiated work that is going on in “every” company. You should leverage open source tools and tools that have more than one company working on them to leverage that collective experience to help solve your problems. Then your teams are free to focus on the things that actually add differentiated value to your customers.

Security is a space where this is even more critical - a free flowing exchange of ideas, threat vectors, and new exploits has always been central to security on both the attacker and defender side. We've seen in recent years an opening up to this reality with fantastic communities like HackerOne and other bug bounty programs with participation from industry and companies everywhere. Why this change? I think it's as security professionals have realized: security isn't a zero-sum game.

Security isn't a zero-sum game

A chain is only secure as its weakest link. We've seen this illustrated time and time again with the various supply chain attacks that have come to the forefront of our industry. And this means that not only do you have to worry about the security of your products – or your own “perimeter” – but actually have a lot more to worry about outside your direct control.

At the same time, we also face ever-more-sophisticated attacks, including ones that are perpetrated by nation-state-level actors. Combine with that the explosion of internet-connected devices and ever-growing demand for always-on access to data, and you have enough to give even the most seasoned CISO a headache.

It's dangerous to go alone, take this

With this combination of factors, it's not possible for you to simply put a moat around your part of the world, pull up the drawbridge, and call yourself “secure.” We have to work together as an industry to help everyone secure their systems better – because when one of us is insecure, we all are. Like it or not, we're in it together. As Kelsey Hightower would say – we're on the same team, just working for different companies.

In the early days of computing, zero day and other types of vulnerabilities were the currency of hacker communities - and in many ways that is still true today. But as hackers and companies have evolved, we've seen the ability to create mutually beneficial relationships that the giants whose shoulders we stand on couldn't have even conceived of. With the right community, with the right ethos, with the right mission, we can leverage the progress made and build better together. That is the ethos of open source, and security should embrace that ethos.

Security should be open source

Given these factors, and so much discussion about “open source security” (meaning the security of open source libraries rather than security as an open source concept) these days, PD is working to flip that on its head. We want to bring to bear on the problem the way we've solved every other complex problem in software in the past decades: open source. By building open source tools, in the open, and encouraging and accepting input from the entire community, we have a chance to actually raise all boats with the tide.

And that's why I'm joining PD and incredibly humbled to be working for not only PD but for our community. I see that community as my most important stakeholder, and I expect the community - and all of you - will hold me accountable because of that. As I've said, I don't see a path to success—be it for PD as a company or us as an entire industry—without the work of all of us. It's going to take a whole community of hackers, blue teamers, red teamers, CISOs, security engineers, and, yes, even developers to raise the bar for software security…and I'm so excited to be a part of that.