[ISN] Facebook, Google, and the Rise of Open Source Security Software

http://www.wired.com/2014/10/facebook-builder-osquery/ By Cade Metz Enterprise Wired.com 10.29.14 Facebook chief security officer Joe Sullivan says that people like Mike Arpaia are hard to find. Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.” Facebook hired Arpaia in January, and in the nine months since, he and a small team of other engineers built a tool called OSquery, which aims to identify attacks on the thousands of machines used across the company, including both the servers that underpin Facebook’s vast online empire and the personal computers used by employees. OSquery is still under test at Facebook—and only on employee machines—but on Wednesday, the company open-sourced the tool, sharing the underlying code with the world at large. It’s another way of saying that people like Mike Arpaia are hard to find. On today’s internet, as Sullivan explains, you can’t buy your way to good security. If you run a large online operation like Facebook, you need more than just off-the-shelf hardware and software to protect the thing. “You can’t just install three appliances and go back to work,” he says. Today’s online operations are so complex, you’re forced to build your own security tools, tailoring software to your particular setup. In open sourcing OSquery, Facebook aims to help others do that—and in the process, help itself. Outside companies can use the tool—as some already do, according to Arpaia—but they can also help Facebook improve it. […]