Hi, everyone. I’m sure some of you may have noticed that our lives have been a little bit interrupted because of a microscopic virus called coronavirus. You can find a short story named “CVSS Score of COVID-19” on Medium I wrote in March just before I got COVID myself.
This pandemic made me think of living vs surviving. What does this have to do with security? You got it. Life is surviving WITH security! Security is the endeavour of continuously trying to eradicate the unknowns because fear comes from the risk of the unknowns.
Security is A Mindset
A little bit about the story, I had stopped all extra mural activities since January and also been working from home since January. How did I get infected? I know exactly how I got infected! It was February when my little one’s school outing to the London Aquarium. I did a risk assessment of whether my little one should go to the outing or not. Since my little one was, would be still going to school, the risk of catching it from someone who went on the trip stays the same whether my little one goes or not. Thus, my little one went, and I fell ill two weeks later.
This lifestyle is what I meant by security is a mindset. You have to live it! Everything starts as an idea — risks stern from the unknowns. Our customers choose to trust us, to trust open-source. Hence, we must strive to provide the most secure software we can. Security is a mindset anticipating the unknowns.
Although the risks are unknown, what we can do is anticipate them and work out beforehand what to do when they appear. Be it a vulnerable library in the software supply chain, be it an insider threat, or be it quantum supremacy that cracks all cryptography like cracking eggs, we can minimise the blast radius by the look on ahead. We can build automated DevSecOps pipelines to detect and replace vulnerable libraries in a timely fashion. We can implement dual controls to reduce the likelihood of insider threats and lost passwords. We must invest in quantum-resistant algorithms to prevent quantum supremacy cracking our cryptography.
After attending OSCON in Portland, OR in 2011, what prompted me to do my startup was because of a few things I heard. They’re “the contribution to the human race from many software systems is not as great the automatic urinal in the toilet,” and “we need open source to be sure of the quality and security of the artificial heart pumping in my chest.” In short, I made a totally-open sourced version of Yubikey. Both software and hardware were open source. I went onto the TV BBC Dragons’ Den (also called the Shark Tank) but didn’t get the money. Now Peter Jones is regretting his decision!
Looking at the current state of open-source land, it has so many untapped potentials. It already has multiple built-in toolsets for security. What we need to do is market them, sell them, and build them. Yes, in that order, that was what I learnt from my startup, you should trade, and sell your ideas before building a prototype!
Therefore, I’m now marketing the ideas of “container security is not new, but a free real-time container security platform doesn’t exist, let alone open-source,” and “the tools are free, but the information is valuable.”
Together, we can open source all the tools needed in the cloud workload protection platform from the foundational ones like Hardening, Configuration and Vulnerability Management to the less-critical ones like Anti-Malware Scanning. We can open source DevSecOps, Cloud Governance, cryptography toolsets. This strategy is what I call “continuous security.”
Heck, a lot of those tools already exist and are just waiting to be found. Let’s find them, and start living, not just surviving!