Our security teams at Facebook believe open platforms have the potential to help us achieve important security goals for the broader industry by enabling better communication and information sharing.
Last week at the Velocity conference, we shared additional context about why we're so excited about open source security and osquery, an open source framework for low-level operating system monitoring. You can see slides from that talk in the slideshow below.
This is a critical moment in the development of open source in security. The stakes are high, and new approaches are needed. In what's commonly referred to as “the defender's dilemma,” defenders need to protect every vulnerability in a system, while attackers can find success through exploiting a single vulnerability. At the same time, our industry is less inclined to share and discuss the tools, tactics, and procedures used in defense. This habit of limiting the information that is shared, along with a lack of collaboration among defenders, creates a disadvantage.
Open source has already enabled significant innovation in other areas of engineering. For example, consider the databasing industry. MySQL, Postgres, Hadoop, and others are tried and tested applications created by many people working together to solve a shared problem. As a result, innovation has occurred throughout the whole stack, with advancements in storage, indexing, filesystems, and other areas.
Unfortunately, the security of large-scale information systems has not seen a similar surge in engineering innovation. As a result, there is a lack of foundational software that can be used by the whole industry to protect our infrastructure from realistic attacks.
The vision for open source security and osquery is for offensive and defensive security professionals to work together on important security challenges, benefit from shared knowledge, and drive the industry forward.
We released osquery as an open source product in October 2014, and dozens of companies are currently in various stages of deploying it. Developed completely on GitHub, all engineering for osquery is done in the open. If we need to add a new subsystem to the product, we create a public GitHub Issue. Often, a user from another company will chime in and discuss an internal use case, which leads us to create new features and capabilities. Users are part of the development process — they're helping shape a product they want to use.
A number of new tables have been released, including visibility into encrypted hard drives, contributed by community member @sharvilshah. Another contributor, @wxBSD, added support for Yara pattern matching into osquery's new file integrity manager. Build support for FreeBSD was contributed by @zi0r, who also added osquery to the FreeBSD Ports package manager.
Enthusiasm for osquery participation reflects a shift in the way security professionals are pursuing innovation. Isolation is no longer a viable or beneficial option. Not only are open source strategies possible in security, but they're also necessary for growing and applying the collective knowledge of the industry.
Come join us! github.com/facebook/osquery