There may be no such thing as a free lunch, but in an age of seemingly endless hacking attacks technologists will do you one better: free security tools.
Engineers from top tech firms Facebook (FB), Uber, Slack, and Pandora (P) extolled the virtues of open source security software at the Structure Security conference in San Francisco on Tuesday. Open source software, produced as a collaboration between volunteer software developers who often coordinate through the code-sharing website Github, poses an alternative to the standard operating procedure in the cybersecurity industry: packaging up proprietary code and shipping it for a profit.
Proponents of open source software argue that by letting passionate developers get involved and tweak underlying code, the tools they create are stronger and more reliable. Plus, for companies looking to bolster their digital defenses, the software has the added benefit of being free.
Get Data Sheet,Coins2Day’s technology newsletter.
“We need more big company involvement in the open source community,” said Nick Anderson, a security engineer at Facebook. He pointed to “hacktoberfest,” a month-long coding fest sponsored by DigitalOcean, a New York-based data center company, as an encouraging example.
Through Hacktoberfest, DigitalOcean gives away free T-shirts to anyone working on an open source software project that meets some threshold of participation. (Specifically, anyone who has submitted four pull requests—essentially, draft code proposals—to projects in October is eligible for a shirt.)
Earlier in the day, Facebook announced that it had released a version of its open source computer network querying tool osquery for Microsoft (MSFT) Windows that scans and monitors computing infrastructure. Anderson, who was heavily involved in the project, told Coins2Day that the social networking site invested in the project mostly to give back to the community of developers who contribute to it.
Leigh Honeywell, a security engineer at business messaging service Slack who also participated in the panel, stressed the importance of continuously searching for bugs in software built through open source means. “People have to keep looking and doing proper code reviews,” she said, adding that incentives are key.
Lack of scrutiny could lead to problems like “Heartbleed,” a major flaw that affected OpenSSL, a coding component of security software designed to protect Internet traffic, for years before its discovery in 2014.
Prima Virani, a security engineer at Pandora, the music streaming site, said that “security through obscurity”—the idea that code will remain secure because its innermost details are kept secret—is a bad idea. Better to open up software and let more eyes see it, as is the case in the open source community.
For more on open source initiatives by Facebook, watch:
Hudson Thrift, security operations lead at the ride-hailing firm Uber, mentioned that the prevalence of software bugs exposed would only increase. “We’re going to see more public disclosures,” he said, mentioning that his team works with vendors to make sure the open source code they’re using is not vulnerable when security holes become known.
Facebook’s Anderson said there’s another reason he supports the open source movement: cutting through red-tape. When he finds bugs in proprietary code, he would prefer to avoid the time-consuming hassle of coordinating with a company to get the flaws patched. He’d rather just mend the issue and move on.
“It’s frustrating for me as an engineer,” Anderson said. “Having it as an open source project, then I can just go fix it.”