ATLANTA — At the first Linux Foundation’s Securing Open Source Software (SOSS) Fusion conference, security company CEO HackerOne Mårten Mickos shared his insights on the intersection of artificial intelligence, open source software, and security.
In his keynote, Mickos opened by saying, “The power of open source is not that we agree and get stuff done; it is that we disagree and get stuff done. That’s the true power when you have a governance model that allows people who have nothing in common to produce something in common.” That includes securing open source software.
Mickos continued that the most important “rule of cybersecurity is that timing is everything. You can have the shittiest defense, but if it is the fastest, it works.” He added, “I remember when the internet had 4 million users, and I remember when it had 40 million users. Now it’s billions and trillions and gazillions, and everything is interconnected. So, whatever solution we thought we had yesterday, it’s much more complex today.”
Collaborative Approach
That means “Given that the threat is asymmetric, the only sustainable defense is to work together. When the good guys work together, they are far more than the bad guys.” Thus, Mickos advocated for a collaborative approach to cybersecurity, introducing the concept of “defense in collaboration” alongside the traditional “defense in depth” model.
He cited the popular open source program curl, which has been far better secured with a collaboration approach. This project works with HackerOne and uses a bounty system to reward people for finding security holes. “The curl bug bounty,” wrote Daniel Stenberg, curl’s founder, “is an absolute and undisputed success. I believe it is a key part in our mission to keep our users safe and secure.”
That’s not to say you don’t need defense in depth as well. You do. “You need multiple layers of defense. But it’s not enough just to test it once. It’s not enough to design it once. It’s not enough to do just one thing. You have to do all these things and start with the principle of security by design.”
Unfortunately, we’re bad at this. AI isn’t helping. As Stenberg noted, “Right now, users seem keen at using the current set of LLMs, throwing some curl code at them and then passing on the output as a security vulnerability report. What makes it a little harder to detect is, of course, that users copy and paste and include their own language as well. The entire thing is not exactly what the AI said, but the report is nonetheless crap.” Such reports take up maintainers’ valuable time and energy. Nonetheless, in general, the collaboration approach works.
Now, AI can also help with security. In his keynote at the same conference, Bruce Schneier, a renowned security technologist and author, said AI gives us the power “to do some defense with AI at computer speeds is gonna be very valid. But a lot of this depends on how good these AI systems are. And there we have a long way to go.” Still, as Mickox commented, even a poor but fast defense can be a real help.
AI Can Help
Unfortunately, AI companies do a crap job on their own security. Mickos revealed that a recent HackerOne study found only 5% of AI companies proactively communicate about AI safety and security in public. Indeed, over half have nothing to say about their security policies.
This is a lousy policy. Borrowing the term “radical candor” from business leader Kim Scott, Mickos called for increased openness in software development, including AI models and applications. “How open can we be with AI with weights, parameters, and deployments with bias in systems? How far can we go?” Micko’s answer: All the way. “The only thing that will work long term is for software and AI that can be tested and validated from the outside.”
To sum up, Mickos added, “We need to practice sharing the bad news because that’s the only way to make good news.” If that means publicly reporting embarrassing security failures, so be it. He urged the tech community to embrace vulnerability disclosure without shame, stating, “The faster we can fix them, the better off we all are.”
Mickos concluded on an optimistic note, acknowledging recent improvements in collaborative security efforts, particularly praising initiatives by the US government such as NIST frameworks and CISA. As AI permeates the software landscape, Mickos calls on the tech industry to prioritize collaborative security measures and transparency in the face of evolving and ever-increasing digital security threats.
I agree with him. Open source has proven itself to be the way to build software. If we prioritize security, open source will also be the way to secure our programs properly.
The post There Is Just One Way To Do Open Source Security: Together appeared first on The New Stack.
HackerOne CEO Mårten Mickos highlights how open source can address security issues.