TL;DR Proprietary security is a fresh cow pie hiding in the tall grass.
Figure 1 - How I imagine decision fatigued CTOs see the world when speaking to proprietary security vendors. Can you spot the cow pie?
In a previous post, I advocated for the merits of DevSecOps and shift left security. In this post, I will present our position on open source security vs. security by obfuscation (STO). If you read the title and are familiar with the mid-western American expression cow pie, you hopefully know where I am going. If not, here’s a verbose description: fresh bovine excrement collapses under its own weight to form a flat cylindrical shape about the size of a pie and is well concealed by uncut grass. It’ll really mess up your cowboy (or cowgirl) boots - get the picture?
Let’s begin in 1883 when the Dutch-born cryptographer, Auguste Kerkchoffs articulated six design principles on La Cryptographie Militaire:
Some of these are certainly redundant given advances in computation since the 19th century but the second principle remains and is referred to as Kerchoffs’ principle. The principle was stated slightly differently (or perhaps restated) as “the enemy knows the system”, by American mathematician, Claude Shannon. The latter is referred to as Shannon’s maxim. (An aside, I would be tickled to be the author of either a maxim or a principle but alas, such accolades have eluded me.)
In searching for academic references to STO, I unfortunately was hard pressed to find even a postulate in favor of the practice. I did not intend to run STO through the google test but the fourth organic result gives an indication of popular perception (don’t use it). Though, Ross Patel does make a fair argument that STO can enhance security in conjunction with other security methods. He cites the example of network administrators placing sensitive services on non-standard ports to evade script kiddies and programs that exploit common vulnerabilities.
It is a fair point that STO can indeed increase security if the means of obfuscation is consistently unique. A metaphor to drive the point home - open source security is the safe in which you store the jewels; STO is the act of hiding the safe. Of course your safe is useless without a strong password. That being said, a security company that offered a service to hide your safe behind the family portrait (and offered the same service to all its clients) is probably not offering a valuable service and likely why popular opinion does not favor the method. However, choosing to hide your safe somewhere non-obvious and random would indeed be a valuable addition to your security system.
I would propose that security systems/methods/software that are used in many places or by many clients should adhere to Kerchoffs’ principle. Consider the following assumptions:
Therefore, the enemy knowledge of a security system increases with the number of users. I argue that widely used security systems must be completely open-source as these systems are designed to resist attack under complete enemy knowledge of its workings. Let it henceforth be known as ‘Esmail’s Postulate’. ;)
Beyond adversary or enemy knowledge, we should consider the value added of public knowledge to a system. Blackhats often work together by publishing their hacks on the dark web or Github (Mirai is on Github - I won’t link to it, but you can find it if you like). Others then contribute and build upon these tools furthering the capabilities. Whitehats can mirror this collaborative behavior in releasing their tools to the commons and crowdsourcing audit, vulnerability disclosure and patches.
To substantiate theory with practice, there are successful companies doing a great job with open source security:
What these companies have in common is that they are building developer tools. We believe this is the best place to think about security - during development (link to shift left security).
To conclude, security through obfuscation is a single piece to consider in building a strong system. The plat de resistance in your security system should be open source, resilient in enemy hands and supported by crowdsourced audit.
Want to troll me? Comments below or twitter.