An open source, decentralized platform
for security research and vulnerability management
We’ve been spending a lot of time lately thinking about the challenges of securing companies and applications in a world where we all rely on open source software. It is our belief that if we work together, in an open coalition, we can build better security infrastructure and tooling, and materially impact the degree to which we are vulnerable.
After we left Twitter, a couple of us started hacking on the concept of an automated vulnerability metascanner. We contributed to an open source project, vuls, by adding local execution, reducing privileges required, and improving scanning accuracy. Then we wrote and open sourced tooling around it and made a hosted API and site for analyzing the resulting data. When CoreOS released Clair, a scanner for containers, we began building around it as well, and as the container ecosystem advanced we added support to our metascanner for Docker containers, Kubernetes, and Google Container Registry.
We were thinking about turning the metascanner into a business, and as we started productionizing our infrastructure we found that the Kubernetes helm chart for nginx lacked support for the Role Based Access Control (RBAC) feature added in Kube 1.6. While contributing support for RBAC, we took a deeper look at Kubernetes' access policy, and began working on the Docker Scanning Special Interest Group (SIG). We produced a working specification for tracking contents and vulnerabilities in Docker containers, utilizing Notary and a docker registry. This has since been rolled into Google's Grafeas project, and the policy engine component is the Kritis project.
It also led us deep into research on the state of vulnerabilities in public Docker images, which presented a larger problem for our metascanner:
Automated scanning isn’t very useful if the vulnerability database is incomplete, inaccurate, or untimely.
The big idea
Since then, we’ve spent a lot of time considering the best approach to making the vulnerability reporting ecosystem more robust.
We want to help secure the Internet by building infrastructure and tooling that allows us to collectively focus significantly more resources on security within open source software. We think leaning too heavily on the current CVE/NVD ecosystem, which is insufficiently funded by the Department of Homeland Security, has left the community unnecessarily vulnerable.
We think the first step is to build an open protocol and repository for security vulnerabilities with the initial objective being to make vulnerability reporting and remediation faster. When we were building the metascanner, we regularly found public information about a vulnerability while our scanner was blind to it.
We think the second step will be to build a platform that allows companies to directly fund security research within the open source software they rely upon. This would create significantly higher bounties, which could be more fairly distributed, and could attract many more talented researchers to spend time on open source projects. We want to make contributing information and research to the public repository substantially more profitable than alternatives, such as selling it to brokers or nefarious actors.
Using staking and reputation systems, we think we can provide more sophistication around consensus and conflict resolution, especially around the severity and surface area of vulnerabilities. Combining attestations and Google Kritis, we think we can enable companies to build security policy around the opinions of specific and trusted sources.
Here is a summary of our current thinking on some of the problems and potential solutions we’re currently looking at.
Do you think we’re on the right track? Some of our ideas are probably a bit audacious, and to be frank, while we have some perspective as end users of security research, and software authors, we’re novices compared to so many of the incredibly talented security researchers that are out there. We’d really value help thinking through the ramifications of different design choices as well as whether we're focused on the right problems to tackle.
Ultimately, we hope to design an open protocol, open source infrastructure, and an openly governed organization in order to form a strong coalition of security-minded people and companies, with the objective of improving the state of security.
While this is just one tiny step in what will be a very long journey, we want to give credit where credit is due:
nick, who was a partner-in-crime in building MoPub, and repeated his magic on the metascanner.
aj, without whom our open source contributions would not have been possible, has been a mentor for us for over seven years.
david, for organizing the Docker Scanning SIG, which provided a venue for great brainstorming and conversations, all of which he led and contributed to.