Facebook chief security officer Joe Sullivan says that people like Mike Arpaia are hard to find.
Arpaia is a security engineer, but he's not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he's a "builder"---someone who creates new tools capable of better protecting our computer software---and that's unusual. "You go to the security conferences, and it's all about breaking things," Sullivan says. "It's not about building things."
Facebook hired Arpaia in January, and in the nine months since, he and a small team of other engineers built a tool called OSquery, which aims to identify attacks on the thousands of machines used across the company, including both the servers that underpin Facebook's vast online empire and the personal computers used by employees. OSquery is still under test at Facebook---and only on employee machines---but on Wednesday, the company open-sourced the tool, sharing the underlying code with the world at large. It's another way of saying that people like Mike Arpaia are hard to find.
On today's internet, as Sullivan explains, you can't buy your way to good security. If you run a large online operation like Facebook, you need more than just off-the-shelf hardware and software to protect the thing. "You can't just install three appliances and go back to work," he says. Today's online operations are so complex, you're forced to build your own security tools, tailoring software to your particular setup. In open sourcing OSquery, Facebook aims to help others do that---and in the process, help itself. Outside companies can use the tool---as some already do, according to Arpaia---but they can also help Facebook improve it.
The move is part of a larger effort by the web's biggest names to not only build their own security software, but also open source it. In the past, companies were reluctant to open source their tools for reasons of, well, security. And many still are still reluctant. But just as they've realized they can improve security by encouraging outsiders to find bugs in their services, these companies now see that they can better protect their operations by inviting outsiders to test and enhance tools like OSquery---at least on some occasions. "The notion that obscurity means security is not always true," says Rich Mogull, a security analyst and consultant with a company called Securiosis.
Security pros have a long tradition of using open source tools. Snort, intrusion detection software that's now built by Cisco, was open-sourced back in the 1990s. And other open-source security tools such as Nmap and Metasploit are industry standards. But what's new here is that big name web companies---the companies on the front lines of the security fight, the companies that see the threats at close range--are open sourcing their tools. It's a trend that mirrors what these companies have done with all sorts of other software that helps drive their unusually large and complex operations.
Before joining Facebook, Arpaia was a security engineer at Etsy, the startup that runs an online marketplace for vintage goods and handmade crafts, and he came to Facebook's attention because the two companies worked together to build and open source a Mac OS X security tool called Midas. Google has open sourced a wide range of security tools, including a tool called GRR. And Arpaia cites several other companies that are contributing code to the larger security community, including Stripe and Square.
"The concept of releasing software---and the specific ways we go about making infrastructure more secure---hasn't really caught on yet with the wider security community, but we're getting there," says Arpaia. "I think OSquery can be a good push in that direction."
OSquery is a tool that lets you more easily identify what's running on a machine's operating system and what has recently changed---at the lowest level. Basically, it exposes the operating system as a relational database, so that you can use standard SQL queries to identify running processes, loaded kernel modules, open network connections, and more. "When a computer is hacked, some fundamental state has changed," Arpaia says. "OSquery allows you to really easily, in almost natural language, ask the computer what its state is."
Security consultant Mogull says that other tools do this sort of thing and that it will be hard to tell how useful the thing is until companies actually use it. But he applauds Facebook for releasing it and says that more companies should do the same thing, pointing out that he often recommends that his clients use two security tools recently open sourced by Netflix.
With OSquery, Facebook isn't giving away its secrets. As Arpaia explains, the company is sharing its code, but not how this code will be used. In geek speak, OSquery is a "framework" for building larger security systems. Open sourcing it can't hurt Facebook. And it just might help the internet.
