The fourth annual Open Source Security Summit in December 2023 brought together industry experts, case studies of open source security in action, and engaging commentary from participants all over the world! The Open Source Security Summit empowers enthusiasts to discuss the limitless ways companies can use open source technologies to strengthen security and trust through transparency and collaboration.
Highlights from this year included Brian Krebs, author and cybersecurity investigative journalist, Alyssa Miller, CISO at Epiq Global, and AI-expert Zack Kass. To catch up on previous summits, you can watch many of the session recordings for 2022, 2021, and 2020 at opensourcesecuritysumit.com or on the Bitwarden YouTube channel.
“Just as open source has made possible advances in software that weren't possible before, so open source security will make possible advances in cybersecurity that, otherwise, would not be possible.” - Michael Crandell, Bitwarden CEO
Brian Krebs is a New York Times best selling author, reporter, former investigator with the Washington Post, and currently runs KrebsOnSecurity. Krebs has a long history of investigating security incidents affecting governments, enterprises, and individuals alike. In his articles, he focuses on “constantly challenging our assumptions, trying to measure the gap between how secure we are and how secure we think we are.”
During this fireside chat led by Justin Lam, an industry analyst with 451 Research, Krebs shared his insight on the cybersecurity and cybercrime landscape. In response to the increased frequency and effectiveness of attacks, Krebs urged companies and individuals to adapt the way they think about security to account for modern threats. They discussed the critical importance of security education and training throughout every organization. In Krebs’ view, the industry is trending in a positive direction, with more and more companies taking cybersecurity seriously and getting the resources needed to train employees.
“Humans are the primary source of insecurity and they're ultimately where we need to focus our efforts. Security is fundamentally about shaping human behavior.
At a very basic level, security is about making it easier for users to do the right thing, and harder for them to do the wrong thing. A lot of that comes down to the defaults we pick when we design software and hardware, which is an area we still have a lot of work to do. I think passkeys are a really good example of this.
I believe passkeys have the potential to cut down a great deal on the number of account takeovers and phishing attacks.”
Krebs ’ number one piece of advice for developers making secure tools was to remember that “defaults matter. The settings you choose – in your code, as a developer –they're important because the vast majority of users will never change the default settings. So security options that are turned off by default tend to stay that way and vice versa… Consider giving users choices when it comes to multi-factor authentication, as well as, wherever possible, the ability to use products without having to connect to the cloud 24/7.” Krebs ended the conversation with a call to leverage the tools at our disposal, including AI, to test the security of code before it goes into production, and to always ask: is there a better, more secure way to do this?
Alyssa Miller, CISO and Epiq Global, and Jenifer Ho, VP of Marketing at Bitwarden, discussed the evolving role of authentication, passkeys, and the benefits of open source security in this fireside chat. Miller is a lifelong hacker and seasoned cybersecurity executive with over two decades of experience. She is internationally renowned as a hacker, speaker, author, cybersecurity researcher, and advocate for making application security an enabler rather than an obstacle for efficient development pipelines.
Throughout the talk, Miller praised open source software, saying: “it gives us the ability to be more aware of what's there, and to do a much deeper inspection than we could do with a commercial off-the-shelf product… Open source packages enable the efficient, quick development of software.”
When it comes to building a culture of cybersecurity and understanding how to educate your team, Miller said, “security has to extend beyond your corporate walls, and I don't just mean the physical walls. If you have people working in hybrid environments or fully remote, their home network just became yours.”
Employee training is a critical step in maintaining the security of your organization. It’s important to be sure everyone in the company understands how their actions impact the safety of their home network and how to keep their devices safe. Then the motivation to learn and improve their own security at home increases and naturally extends to the workplace. When people understand how to stay secure, they feel like they have more control and know how to better defend themselves.
In this fireside chat between Zack Kass, AI expert and former Head of GTM at OpenAI, and Michael Crandell, CEO of Bitwarden, the two discussed the promise and peril the new age of AI brings to security, and what the future might hold.
According to a recent survey of 600 developers, over 75% strongly believe that generative AI will make data security more challenging, yet, 83% reveal that their organizations have significantly invested in AI technology. An alarmingly large percentage of respondents confirmed insecure uses of AI are common, with 30% of respondents admitting to entering developer secrets into a generative AI platform. 24% have input privileged credentials, and 25% have entered highly sensitive personal information like social security numbers.
When it comes to potential vulnerabilities in the current landscape of generative AI tools, “the attack vectors for AI are the same as they are with a service like Gmail or Slack,” said Kass. “The difference is that we aren't often entering our social security numbers into Slack, but I would say that the risks associated with ChatGPT or any of these generative AI tools are the same as the risks associated with any other cloud security products. The difference here is that AI is novel, and therefore probably more exposed to attacks. I don't think that these AI tools present a new threat, in that sense.”
Kass ended on a positive note forecasting an optimistic future where AI might enable people to spend more time with loved ones as it frees them from the burden of many tasks that AI will likely take on over the next decade.
“When you ask people what actually inspires them, and what makes them human,” said AI-expert Zack Kass, “they talk about their family, friends, and hobbies. I truly believe that AI is going to present the opportunity for us to become much more human by alleviating some of the burdens currently on our society.”
Meskio, Anti-Censorship Team Lead, discussed the role Tor plays in advancing human rights with open source anonymity tools. He shared several case studies from around the world showing how the Tor network is able to operate thanks to a global community of volunteers. Community collaboration and the added security of a user base invested in improving its tools are the primary reasons Meskio credits for why Tor operates under an open source model.
“Open source tools bring with them a lot of collaboration. We lean on our communities for all the work that we do. We discover what is happening because people in the community tell us - we have all this feedback from them.”
Watch the full session recording to learn more about Tor.
In this lightning panel, Dave Kennedy, Founder and CEO at TrustedSec, and Jos Poortvliet, Co-Founder and Director of Marketing at Nextcloud, discussed strengthening security resilience through community collaboration.
According to the panelists, the benefits of an open source community through collaboration are unparalleled. A passionate user base that deeply cares about the success and quality of these products and contributes to their ideas is one of the many advantages of open source projects.
“People care more about security when they know everything, when everything is exposed to the light all the time. Open source is absolutely crucial for creating new standards and advancing technology,” said Poortvliet.
This transparency allows teams to identify threats, vulnerabilities, and exposures more quickly and respond rapidly due to the public visibility. That continual feedback loop helps drive innovation. When code is in the public view, companies are held to a higher standard and “the urgency to fix and address issues becomes substantially heightened,” said Kennedy, “to the point where even minor issues get prioritized to be fixed.”
Kennedy revealed he is a user of both Nexcloud and Bitwarden because “we're a cybersecurity company. We need to ensure the products and technology we're using are best in class.
As a security professional with 25 years in the industry, I prefer open source because I know what I'm getting myself into, and know that I have a much stronger footprint from a defensive perspective.”
Watch the session recording to hear the full discussion on: The Open Source Advantage: Strengthening Security Resilience Through Community Collaboration.
Jean-Pierre Vigneault, Technical Manager for Analytical Platform & Automation at the Canadian Centre for Cyber Security (CSE), showcased how his organization takes an open source first approach. Vigneault discussed several open source projects CSE regularly contributes to, including one of their own projects, AssemblyLine, which is a malware analysis program built to scale to millions of files daily.
Vigneault explained why compiling a security tech stack from a shared ecosystem is crucial for security and also offers significant benefits for companies. When systems are customizable, they can accommodate unique environments and allow teams to contribute back to the community when they find areas to improve.
When systems speak a common language, it enables quick integration and streamlined communication with partners and teams. Combining the power of open source products, InfoSec communities, and commercial options, prevents businesses from being stuck in a single, closed ecosystem.
“Attackers are working in teams, so cybersecurity is effectively a team sport. Open source can help us play as a team. In order to play together and defend as a community, we need to move from a proprietary ecosystem toward a more open and shared ecosystem.”
Open source is “about democratizing cybersecurity.” When an ecosystem can be built on free tools, “cybersecurity doesn't have to be expensive.” Open source also allows everyone to have access to important tools and be able to take advantage of people's expertise to improve the entire ecosystem.
Working with the community enabled Vigneault and his team to standardize and integrate easily within their environment, and make use of information rapidly because “cybersecurity happens really fast.” Open source helps to remove boundaries to innovation.
Watch the full session recording to learn more about the Canadian Centre for Cyber Security’s open source projects.
Manuel Leos Rivas, Cloud Security Architect at Backblaze, shared how to mitigate phishing attacks using open source tools like Wazuh, which enables detection at scale. For Backblaze, one key motivation for using open source tools like Wazuh is how easy it is to automate, which enables their teams to focus on other areas. This tool performs a file integrity check and alerts the user if something changes. If there is a small change in the file, the system detects it, then creates an event that can be monitored and tracked until it is resolved.
Watch the full session recording to learn more about Backblaze and open source tools.
This lightning panel featured experts Phillip Kampmann, Software Engineer at AccuRanker and Henry Fisher, Digital Rights Activist and Techlore Founder, and was moderated by Leigh Honeywell, CEO at Tall Poppy. The panelists discussed how companies can build a cybersecurity culture and how to spot and address common security oversights in an organization.
Personalizing security “and helping people genuinely understand why security and protecting user data is really important. Many people struggle to conceptualize why it matters and how their security habits impact not just the company, but themselves,” said Fisher.
It’s critical to tailor organizational “security training programs for new employees and give them real life examples of how to use the security measures and how to avoid falling into common security pitfalls like phishing emails,” said Kampmann.
Watch the session recording to hear the full conversation from this panel: Building a Cybersecurity Work Culture: Spotting and Addressing Common Security Oversights in the Organization.
Sergii Smirnov, CTO at Namecheap, dove into the benefits of using an open source password manager like Bitwarden.
Smirnov’s journey to enhance operational efficiency and cybersecurity at Namecheap began with the search for the optimal password management solution. The goal was to move to a single, more secure, and streamlined alternative, which was more than simply a change in tools – it was “a significant step toward strengthening our cybersecurity and streamlining our operation.” A key factor in their decision to choose Bitwarden was its open source nature.
For Smirnov and his team, “open source software like Bitwarden invites broad rotation and continuous improvement from a global community of experts… We believe that open source validation plays a crucial role in ensuring security because it allows for continuous scrutiny and enhancements made by a worldwide network of specialists.
We can see that proven year after year through the way Bitwarden and the open source community interact, the issues they bring up, and the way those issues get addressed. This validation ensures vulnerabilities are identified and addressed promptly.
The open source approach not only enhances Bitwarden’s security features, but also ensures it evolves in response to the real world needs of its users.”
For Namecheap, and many others, “open source represents a forward-thinking approach that embodies innovation, collaboration, and transparency. We see open source software as the future of technology development.”
Watch the full session recording to learn more about why Namecheap chose Bitwarden and how they rolled the product out to their team.
Ryan McElroy, VP of Technology at Hylaine, a custom-tailored technology consulting firm shared how Bitwarden enables his company.
For McElroy, the primary advantage Bitwarden provides his team is the ability to lock sensitive data to teams. Hylaine uses the collection and folder architecture to its maximum. One limitation of their previous tool was the lack of granular access to client information. “With Bitwarden, that granularity allows us to be even more secure. It works for our organization because it is a one-stop shop for shared secrets - no other information repository at this company has anything sensitive.”
Watch the full session recording to hear why Hylaine selected Bitwarden.
Jimmy Chong, Cyber Security Engineer at NAES, explained why his company chose Bitwarden for their password management solution and the benefits of using open source software for his team.
Chong reflects on how “having an open source software provides the ability for freedom and flexibility” in your tools. It also promotes high quality, thanks to the public visibility. For Chong, one of the most influential parts of using open source products is how “the community inspires excellence in development.”
Communities are the heart of open source projects, driven by people with a passion for improving the product and innovating in ways that closed source solutions struggle to achieve because there aren’t as many perspectives being brought to the table.
Watch the full session recording to learn more about why NAES chose Bitwarden.
Stay connected with the Bitwarden community to stay in the know about events like this and other cybersecurity resources!
See you at the Open Source Security Summit in 2024!