Two venture investors have launched an index to track the most popular open source security projects.
Chenxi Wang of Rain Capital and Andrew Smyth of Atlantic Bridge unveiled the Open Source Security Index last month. The website leverages GitHub application programming interfaces (APIs) to make “finding open-source security projects easier for everyone.”
Anyone can go to the site to discover “the most popular and fastest-growing open-source security (OSS) projects.”
OSS projects are essential in the InfoSec world, but it’s not always easy to find a good and up-to-date list. So having such an index provides a valuable resource for security teams to see the range of OSS projects available for their daily work, and the list also offers a nice overview of the current security landscape.
Also read: The Best Open-Source Vulnerability Scanners
Ranking the Projects
One of the more interesting parts of the ranking is the transparent methodology. The creators ranked entries under six metrics to list the Top 100 GitHub projects:
- The number of times a project has been starred
- The number of contributors to the project
- The number of commits the project has had in the last 12 months
- Number of watchers
- Change in the number of watchers over the last month
- Number of forks
Because the GitHub APIs are pretty convenient and contain lots of useful data, the index can take into account a range of criteria and apply some weighting. For example, the number of watchers is only 5% of the score, while the number of commits the project has had in the last 12 months is 25%.
The index should help promote actively maintained projects. It should also be noted that the number of stars has the highest weight, and represents 30% of the score. For example, at the time of writing, Osquery is behind Sigma, even if Sigma only has 5,805 stars compared to Osquery’s 19,678.
Wang said the ranking excludes bots and anonymous accounts from the number of contributors.
There are also manual additions for projects that lack labels in the GitHub API (tags, topics). The scope is limited to “direct security tools,” which explains why you don’t find projects such as Terraform or Elastic in the ranking.
The Top 25 Reveals Current Trends
Wang wrote in a Dark Reading column that three major trends emerge from the Top 25 OSS projects on the list:
- Attack and red-team open-source tools, such as Metasploit, OSS Fuzz, Atomic Red Team, and Zap, remain popular.
- Cloud computing is now mainstream with security operations, such as Cilium, Trivy, Calico, and Sysdig.
- Automation and as-code workflow utilities like Nuclei and Sigma have begun to emerge.
While open source software does not come without inconveniences, security teams can leverage these popular projects in their strategy instead of developing and deploying with proprietary software.
According to Wang, this is how sophisticated security teams operate these days, by “managing security policies and operations like code.”
Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial
The Top 5 Languages
C and Ruby come in at the No. 4 and No. 5 positions, respectively, at 17.7% and 12.7%.
That’s not surprising, as these programming languages are very popular. Most PoCs (proofs of concept) and demos are written with the same languages.
The Ranking Will Evolve Over Time
The maintainers plan to refresh the data monthly to keep the list current, and it’s an important point. As the security landscape evolves rapidly, many existing lists can be deprecated.
Of course, it’s safe to assume major frameworks such as Metasploit won’t be left unmaintained or abandoned anytime soon, but new security tools could emerge and become popular.
Read next: Best Open Source Security Tools