The Open Source Advantage: Strengthening Security Resilience Through Community Collaboration

The Bitwarden team had the privilege of speaking with experts David (Dave) Kennedy, Founder and CEO at TrustedSec and Jos Poortvliet, Co-Founder and Director of Marketing at Nextcloud, during the 2023 Bitwarden Open Source Security Summit. Dave is a self-described “security expert, keynote speaker, avid gamer, and the go-to for protecting companies from threats.” Jos Poortvliet is a “people person, technology enthusiast and all-things-open evangelist.” 

The below Q&A features insights about open source collaboration, how it keeps organizations accountable, and how it differs from closed source protocols.

Watch the full panel discussion

Bitwarden: The panel today will discuss how to strengthen security resilience through community collaboration. Dave, we'll start with you. How has your organization benefited from integrating open source solutions into your technology?

Dave Kennedy: When you look at security in general, most people think of API's and cryptography, but there's another area around cybersecurity involving offensive capabilities and tools that are designed to help emulate what other attackers do. By understanding what attackers do, it allows you to model your defensive capabilities and have a much stronger product in general. The community collaboration around those aspects is really strong. 

I've authored a number of open source tools. We leverage open source very heavily for our own product and have community projects that allow us to benefit from the analysis component of the open source community. The collaboration, as well as features and functionality, is unparalleled. It beats anything else you have out there, enabling the ability to identify threats, vulnerabilities, and exposures via more public code versus closed source. Collaboration and being able to pull from many people through initiatives such as bug bounty programs can help you dive down into potential exposures in your own product. It makes your product, as well as what you’re doing in your own organization, even better. 

Bitwarden: Could you give us just a one-minute explanation of your business, Dave? 

Dave Kennedy: I own two companies. I started and founded TrustedSec and Binary Defense. We have over 350 employees worldwide. We work with three of the Fortune Five and 70% of the Fortune 1,000 companies, along with small-to-medium sized businesses. 

We focus on information security consulting, which includes penetration testing, red teaming, source code analysis, and governance advisory services. We help companies manage detection and response as we search for intrusions and attackers in some of the largest enterprises in the world. We’re trying to stop attackers by figuring out what they're doing and then ensuring organizations have good defenses against it.

Bitwarden: Moving on to an intro of Nextcloud. There’s always been a lot of community overlap, so I know the Bitwarden community is happy to hear from you. Jos, please also share more about how integrating open source has really benefited the Nextcloud movement. 

Jos Poortvliet: These two things are almost the same, right? We founded Nextcloud to give people control over their data and - where Bitwarden does that is through giving people control over their passwords - we started with a focus on data used in collaboration. 

We make an open source collaboration platform with document sharing, video chat, calendar, mail, and all the other basic functionalities that you need to work together - and it's designed to run on-premises. We make the software, but we don’t host. Users can easily run Nextcloud in the cloud or on-premise. We care about giving our users the ability to have both control and choice. 

Getting to the question about open source, transparency is key. 

Working in the public helps create a secure culture both internally and outside the company.

When we started the company, we knew making it open source would create awareness because people were looking at the code. Developing a product in the open means people will have insights into our security. We’re not hiding vulnerabilities in a corner somewhere and saying we'll fix it later - you can't do that with open source. There have been studies showing that when people feel like they’re being surveilled, they change their behavior. We’re harnessing that in a positive way. That’s core to our DNA as a company. 

Bitwarden: One of the reasons this conference began was because of the misconceptions about the ability for open source to provide security resilience. Could you each give a few examples of when you may have had people that were skeptical and how you were able to assuage their concerns?

Dave Kennedy: I am a Nextcloud customer and a Bitwarden user as well. So, we're in good company here. And why is that? We're a cybersecurity company and we need to ensure that the products and technology that we're using are best in class, especially when it comes to our exposure. We work with government agencies and some of the biggest companies in the world. 

To me, the benefit in the marketplace of using open source tools is that you know if a company is using solid cryptography.

We’ve obviously seen closed-source password managers have some major problems with their ability to protect containers and storage. 

It’s good to have transparency when we’re going to a customer. Say they have a closed source product - from a black box perspective, we usually find some pretty horrendous things. When we’re going from an open source perspective, we may find things, but it's not nearly as catastrophic. 

My career has been devoted to offensive security - doing everything from zero-day research to Microsoft products and starting the PowerShell security movement at Microsoft.

Time and time again, I can say the products that seem less insecure are open source, because they’ve gone through that rigor.

When people think of open source, I think one of their first thoughts is that it must not be commercial. I would argue that it's more commercial and more streamlined and more used because you're getting that collaboration. 

If you look at the open source projects out there, you’ll find fans that are passionate about your brand and what you're building. They start amplifying your product and coming up with amazing ideas and feature requests, and that enhances your product overall. 

As a security professional with 25 years experience, I prefer open source because I know what I'm getting myself into. I can validate with my customers and know that I have a much stronger footprint from a defensive perspective.

Jos Poortvliet: Yes, it’s the transparency - it changes the internal company culture. We often encounter customers that come to us and inquire about our products or how to get up-and-running. Later on, we often discover they hired an external company that had done a security audit, reviewed the code, and gave feedback about whether it was a good product. 

We have to be realistic here. There are people who go on GitHub assuming a lot of people are reading code for hobby, all day long. That’s not necessarily the case with bigger companies. We benefit from a ton of people who have incentive, knowledge, and the desire to push us. On top of that, we have a $10,000 bug bounty program, which also helps. 

When people find issues, they look at them and report them. You still need a good culture and good processes in place to be able to respond effectively. Because you work in the open, you automatically start building those processes. The open source way of handling security issues - like the Linux Kernel does and many other sensitive projects do - is becoming the industry standard because these projects are transparently forced to optimize and improve all the time. 

Proprietary organizations often lag behind open source.

One example: many previous security standards were recommending people change their password every two months. We now know that’s not wise, because people choose simple passwords they can remember. A password built around a passphrase is often better. It’s easy to remember and much more difficult for hackers to crack. These things are not often figured out by proprietary companies. 

Good developments and innovation happen between security researchers, passionate users, and companies working together in an open way.

Dave Kennedy: To hit really quick on what Jos was saying there - notice he said we’re forced to have to fix the issues because they’re public and exposed. Whereas with closed source, there were a number of times we found some catastrophic issues that never got addressed because nobody saw it. 

When you're in the public limelight, you're held to a completely different standard in open source than you are via closed source protocol. The urgency to fix and address things becomes substantially heightened. 

We actually found an exposure, a fairly minor thing, that was fixed in eight hours. That’s the type of turnaround you find in products that specialize in open source. 

It’s the agile workflow development, but also being able to take in other input sources. 

Closed source is a chaotic, slow moving machine. With open source, we see much better code quality. People see your code, make comments, and then it functions properly.

Jos Poortvliet: It has to do with cost, too. For a big organization, security is just a cost. As long as nobody hacks the system, or there is no big public breach or security explosion that gets in the news, it’s a low priority. People on the floor are guided by these priorities from management. With open source, you see developers who are out there and who are public. They have motivation. If you’re anonymous in a big organization your career probably won’t be impacted if there is a big security flaw. This isn’t good.

Bitwarden: We’ve talked a lot about protection, security mechanisms, and vulnerabilities. I want to pivot to innovation and collaboration. Could you each give a quick summary about what you’ve seen and share how open source has helped?

Jos Poortvliet: Open source is often setting the standards in this regard. People are, by working transparently and openly together, going to identify ways cyber criminals might hack a system. You’re going to examine all levels. 

People will do research on Linux, because it’s well-understood. Very few people will do cutting-edge security research on Windows, because there is not much transparency there. 

Open source is absolutely crucial for creating new standards and advancing technology. With proprietary software, a lot more bugs are hidden, until they spill out into the open. Without transparency, the code presents a risk.

Dave Kennedy: What happens with open source collaboration is that you have an external community that is just as passionate as your team, and also gets to use the product and see things that you don't. Some of the best customer features we've implemented, or things that I've written in open source tools or framework, have come from people using the tool. They say, “Hey, it’d be cool if you did this,” or “here’s another product you can integrate that gives you all these capabilities.” So it really drives innovation.

There’s a great book about how a bunch of executives went into a room and started talking about what’s wrong with the business and why they’re seeing their numbers going down, but they don't actually talk to the customer about why their numbers are going down. They just have ideas of why it's not working. It’s a parable for open source. 

When you can get that feedback directly from the community, from people that are passionate about your product, they’re making your product even better. 

The innovation and ramp up you can derive from open source collaboration and open source communities is astronomical.

I have so many closed source horror stories I could tell you about. We had to go and present at DEFCON and expose them to get them to actually move things. There’s a big difference and the public element of open source is a large component of that.

Learn more about the 2023 Bitwarden Open Source Security Summit. 

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online. Have questions? Sign up for the free weekly demo.