Facebook, Google, and the Rise of Open Source Security Software

简介: http://www.wired.com/2014/10/facebook-builder-osquery/Facebook chief security officer Joe Su...

http://www.wired.com/2014/10/facebook-builder-osquery/

Facebook chief security officer Joe Sullivan says that people like Mike Arpaia are hard to find.

Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.”

Facebook hired Arpaia in January, and in the nine months since, he and a small team of other engineers built a tool called OSquery, which aims to identify attacks on the thousands of machines used across the company, including both the servers that underpin Facebook’s vast online empire and the personal computers used by employees. OSquery is still under test at Facebook—and only on employee machines—but on Wednesday, the company open-sourced the tool, sharing the underlying code with the world at large. It’s another way of saying that people like Mike Arpaia are hard to find.

Facebook engineer Mike Arpala created OSquery.

Facebook engineer Mike Arpaia.  Courtesy Mike Arpaia

On today’s internet, as Sullivan explains, you can’t buy your way to good security. If you run a large online operation like Facebook, you need more than just off-the-shelf hardware and software to protect the thing. “You can’t just install three appliances and go back to work,” he says. Today’s online operations are so complex, you’re forced to build your own security tools, tailoring software to your particular setup. In open sourcing OSquery, Facebook aims to help others do that—and in the process, help itself. Outside companies can use the tool—as some already do, according to Arpaia—but they can also help Facebook improve it.

The move is part of a larger effort by the web’s biggest names to not only build their own security software, but also open source it. In the past, companies were reluctant to open source their tools for reasons of, well, security. And many still are still reluctant. But just as they’ve realized they can improve security by encouraging outsiders to find bugs in their services, these companies now see that they can better protect their operations by inviting outsiders to test and enhance tools like OSquery—at least on some occasions. “The notion that obscurity means security is not always true,” says Rich Mogull, a security analyst and consultant with a company called Securiosis.

Security pros have a long tradition of using open source tools. Snort, intrusion detection software that’s now built by Cisco, was open-sourced back in the 1990s. And other open-source security tools such as Nmap and Metasploit are industry standards. But what’s new here is that big name web companies—the companies on the front lines of the security fight, the companies that see the threats at close range–are open sourcing their tools. It’s a trend that mirrors what these companies have done with all sorts of other software that helps drive their unusually large and complex operations.

Before joining Facebook, Arpaia was a security engineer at Etsy, the startup that runs an online marketplace for vintage goods and handmade crafts, and he came to Facebook’s attention because the two companies worked together to build and open source a Mac OS X security tool called Midas. Google has open sourced a wide range of security tools, including a tool called GRR. And Arpaia cites several other companies that are contributing code to the larger security community, including Stripe and Square.

“The concept of releasing software—and the specific ways we go about making infrastructure more secure—hasn’t really caught on yet with the wider security community, but we’re getting there,” says Arpaia. “I think OSquery can be a good push in that direction.”

Facebook chief security officer Joe Sullivan. Photo: Facebook

Facebook chief security officer Joe Sullivan.  Getty Images

OSquery is a tool that lets you more easily identify what’s running on a machine’s operating system and what has recently changed—at the lowest level. Basically, it exposes the operating system as a relational database, so that you can use standardSQL queries to identify running processes, loaded kernel modules, open network connections, and more. “When a computer is hacked, some fundamental state has changed,” Arpaia says. “OSquery allows you to really easily, in almost natural language, ask the computer what its state is.”

Security consultant Mogull says that other tools do this sort of thing and that it will be hard to tell how useful the thing is until companies actually use it. But he applauds Facebook for releasing it and says that more companies should do the same thing, pointing out that he often recommends that his clients use two security tools recently open sourced by Netflix.

With OSquery, Facebook isn’t giving away its secrets. As Arpaia explains, the company is sharing its code, but not how this code will be used. In geek speak, OSquery is a “framework” for building larger security systems. Open sourcing it can’t hurt Facebook. And it just might help the internet.


目录
相关文章
|
前端开发
实战:第十八章:facebook和google免登接入
实战:第十八章:facebook和google免登接入
113 0
实战:第十八章:facebook和google免登接入
|
XML Android开发 数据格式
android google market 不能搜索到facebook或显示不兼容
android google market 不能搜索到facebook或显示不兼容
181 0
|
Rust 安全 Linux
Google 公布 Open Source Peer Bonus 最新 25 名贡献者
Google 公布 Open Source Peer Bonus 最新 25 名贡献者
193 0
Google 公布 Open Source Peer Bonus 最新 25 名贡献者
|
Kubernetes Java Linux
Google 和 Facebook 为什么不 用Docker?
看看 Docker 公司的 logo 上画的是啥就知道作者的心意了)。而一个 container 执行一个 image 就如一个 process 执行一个 program。 在 Google 工作过的人恐怕在用 Borg 的时候都未曾接触过 container 和 image 这两个概念。为啥 Borg 里没有,而 Kubernetes
|
SQL 机器学习/深度学习 人工智能
顶尖架构师能从Google、Facebook、Netflix等公司学到哪些技术?
  架构设计到底是做什么?每个人都有不同的答案,毕竟在不同的时间,不同的系统层级,不同的需求背景上,架构设计的任务都有所不同。那么换另外一个问题,如何成为顶尖的架构师?   先使用程序员的拆分技能:成就优秀需要划分两个阶段,先成为普通的架构师,然后再想办法成就优秀。   虽然 2022 年已经过了六分之一,但我们的新年也就刚开始,常言道种树最好的时间是十年前,其次是现在,学习架构也是一样,希望以下的学习小结可以给你帮助。
198 0
|
前端开发
Google、Facebook、GitHub、Babel核心成员齐聚,第13届D2前端技术论坛正式启动
由阿里巴巴前端委员会举办的第13届D2前端技术论坛将于2019年1月6日在杭州举办。
3555 0
|
存储 区块链 文件存储
区块链将会怎样颠覆Google、Amazon、Facebook和Apple?
策划|Tina编辑|Liu Zhiyong区块链前哨导语:4 月 5 日我们发布了文章《十年了,除了炒币,区块链还能不能好了?》,这篇文章引起了热烈的反响,因为在连跳广场舞的大妈都能对区块链如数家珍,这篇文章不啻泼了一盆凉水。
1909 0