In a nutshell, the OSSI is a comprehensive list of the most popular open source security tools available.
We’ll also take a look at its top 5 libraries and discuss how you can use these to secure your networks and applications.
What is the Open Source Security Index?
The OSSI lists the most widely used open source security tools, which it calculates using a weighted average of data extracted from the GitHub application programming interface (API). These metrics include:
- Total stars (15%). Although they don’t have a formal definition, GitHub star counts are routinely used as a proxy for project popularity. That’s because people often use them to bookmark libraries or provide them as a form of positive feedback.
- Star cadence (15%). In addition to the raw number of stars, the OSSI looks at the number of stars a project has received since it was created (average stars per day). This can give an idea of the speed at which a project’s popularity is growing.
- Watchers (10%). Similarly to stars, the number of watchers suggests how many people are interested in tracking the project’s changes and developments.
- Watcher growth (5%). As with stars, the velocity of watcher expansion can give an idea of the project’s relative trajectory.
- Contributors (25%). Having a diverse and active community is an important part of a thriving open source project. The OSSI takes this into account by filtering out bots and anonymous accounts to identify the total number of live contributors to a given library.
- Release cadence (25%). Similarly to the number of contributors, the quantity of commits that these contributors make is also important. The OSSI looks at the average number of commits per day, and uses this as one quarter of the score’s weight.
- Forks (5%). While obviously it would be great if every contributor merged suggested changes back into the original branch, forks from it suggest that there are proliferating use cases and business needs for the project.
As of September 2023, the top 5 libraries in the OSSI were:
The Metasploit Framework is a penetration testing platform primarily written in Ruby. It is designed to aid security researchers and penetration testers in identifying known vulnerabilities. The framework provides a centralized collection of exploits, payloads, and auxiliary modules, allowing users to create, test, and execute exploit code against a remote target. The framework is highly modular, allowing for a wide range of applications from web vulnerability assessment to network intrusion detection.
The vulnerability management company Rapid7 purchased the original Metasploit open source project in 2009 but then re-released it under a BSD-style license.
Another project with a corporate sponsor (HashiCorp), vault is a tool designed for secrets management, encryption-as-a-service, and privileged access management. It provides a unified interface for securely accessing various types of secrets like API keys, passwords, and certificates. Vault offers several key features:
- Data Encryption. The library can encrypt and decrypt data without storing it, allowing developers to securely manage data in external databases.
- Secure Secret Storage. Vault encrypts secrets before storing them, making raw storage access insufficient for secret retrieval.
- Leasing and Renewal All secrets have an associated lease, which Vault can automatically renew or revoke.
- Dynamic Secrets. It can generate on-demand secrets for systems like AWS or SQL databases, automatically revoking them after a lease period.
- Revocation. Vault supports secret revocation at various levels, aiding in key rolling and system lockdown during security incidents.
Vault uses a Business Source License, which authorizes limited production usage of the tool.
Cilium is an extended Berkeley Packet Filter (eBPF)-based networking, security, and observability solution designed for Kubernetes environments that can replace traditional firewalls.
- eBPF-based Dataplane for High Efficiency. Cilium leverages eBPF to work directly in the Linux kernel. This allows for high-performance data path operations, making it suitable for latency-sensitive applications.
- Identity-Based Security for Dynamic Workloads. Cilium assigns security identities to groups of application containers, allowing for dynamic, fine-grained security policies. This identity-based model is decoupled from network addressing, providing scalable and adaptable security measures.
- Advanced Load Balancing with Efficient Hash Tables. Cilium replaces kube-proxy and uses specialized hash tables in the eBPF layer for load balancing. These hash tables are optimized for quick data retrieval and insertion, enabling near-instantaneous routing decisions and scalability during load balancing operations.
- Integrated Advanced Functionality. Beyond basic networking and security, Cilium offers integrated ingress and egress gateways, as well as bandwidth management features. This makes it a comprehensive solution for complex networking requirements, including service mesh capabilities.
- Observability with Hubble. Cilium comes with a dedicated observability platform called Hubble. Hubble provides deep network and security visibility, offering metrics, event monitoring, and even service dependency mapping, making it easier to diagnose issues and understand network behavior.
Cilium is primarily sponsored and maintained by Isovalent, a company that specializes in cloud-native networking, security, and observability. Isovalent provides commercial support and additional enterprise features for Cilium, although the core Cilium project itself is open-source and available via the highly permissive Apache 2.0 license.
Ruff is a linting tool for Python code. Linting refers to the automated analysis of code to detect errors, “smells” (i.e. heuristic indicators of problems), stylistic issues, and other potential bugs. It checks code against a comprehensive set of rules, which can be configured to suit specific project needs. These rules cover a wide range of issues, from syntax errors and unused variables to more complex matters like complexity and adherence to organizational or industry standards. Ruff has over 600 built-in linting rules and offers:
- Built-in Caching and Autofix Support. Ruff comes with built-in caching to avoid re-analyzing unchanged files, reducing redundant work. It also offers autofix support, which can automatically correct certain types of errors, such as removing unused imports.
- Configurable and Extensible. Ruff allows for configuration through pyproject.toml and supports hierarchical and cascading configurations. It can replace multiple Python quality tools like Flake8, isort, pydocstyle, and more, all while executing much faster.
Using the most permissive method available, the MIT license, ruff can - and has been many times - integrated into other products or applications. The newest project (created in 2022) on the OSSI top 5, ruff itself gave birth to a company, called Astral, in 2023. Astral builds Python tooling for developers.
OpenSSL is a widely used project for implementing encryption of data-in-transit using Transport Layer Security (TLS, formerly known as Secure Sockets Layer - SSL). The only project in the top 5 not sponsored by a private sector organization, OpenSSL is governed by a nonprofit project which has both technical and management committees. OpenSSL is available under the Apache License 2.0 and has many features, such as:
- Comprehensive Cryptographic Library (libcrypto). OpenSSL includes libcrypto, a general-purpose cryptographic library that serves as the foundation for its TLS implementation. This library offers a wide range of cryptographic algorithms and is usable independently of the TLS protocols.
- Command-Line Utility for Cryptographic Tasks. The toolkit comes with a versatile command-line tool, often referred to as the "Swiss Army knife" for cryptography. It can perform a multitude of tasks, including key parameter creation, X.509 certificate management, message digest calculations, and encryption/decryption.
- Extensive Documentation and Community Support. OpenSSL has a rich set of documentation, including for historical versions, to assist both new and experienced users.
One interesting note in the history of OpenSSL was the disclosure of the Heartbleed vulnerability (CVE-2014-0160) in 2014. Due to the widespread use of OpenSSL and the ease with which the issue could be exploited, over 840 breaches were attributed to it. The central importance of OpenSSL to encryption deployments worldwide makes it a potentially critical single point-of-failure should another similar vulnerability appear.
Open source libraries offer a huge variety of reusable functionality that organizations can leverage for many different purposes, including testing and defending their critical data and applications. With that said, although these capabilities are financially “free,” that doesn’t mean they are completely cost free.
The disclosure of massive security flaws like Heartbleed and later, log4shell (CVE-2021-44228), demonstrate that enterprises need a comprehensive open source governance framework to manage the use of this code. Deploying security tools like Metasploit, vault, cilium, ruff, and OpenSSL can bring with them benefits, but also risks.
Need to get a handle on your open source code? Check out the Endor Labs demo library to see how we can help