Martin Hell, Debricked: “the cost of a cyberattack exceeds the cost of cybersecurity investment”

The adoption of open source software has been increasing. It has vastly advanced in recent years, now offering even broader functionality, as well as inexpensive up-front cost and innovative features.

Open source enablers might have many benefits, but there are numerous pain points to explore too. Luckily, any issues in open-source software, like a Virtual Private Network (VPN), are found and fixed quickly, and there’s no way that developers can hide potentially risky flaws.

Cybernews invited Martin Hell, a Security Strategist at Debricked, a company that provides an SCA tool, helping other organizations manage risk in open source dependencies. We discussed the technologies used to monitor databases, cybersecurity measures every individual and company should take, and the ins and outs of open source.

How did the idea of Debricked originate? What has the journey been like since your launch in 2018?

The ideas started to form during a research project at Lund University. Starting in 2015, we set out to better understand and improve how organizations could handle security vulnerabilities in third-party code. This included both technical and organizational aspects of the problem. Towards the end of the project, our proof-of-concept solution gained much interest from the industry partners. To continue developing with a high focus on the industry needs, we commercialized the ideas in 2018 and raised some initial capital. Already from the start, we had an idea of leveraging machine learning for solving our tasks. This turned out very successful and we saw that we could not only improve data quality, but we could do it at high-speed. Growing the company, adding better accuracy, building a marketing team, and expanding our sales efforts was then the focus for several years. In 2022 Debricked was acquired by Micro Focus and their CyberRes line of business. We see this as a great opportunity to scale further and get one step closer to reaching our vision and beyond.

It is evident that open source is an important part of Debricked. Would you like to share more about your vision?

Open source is a fantastic enabler. It promises to let developers pull in functionality that would otherwise take months to implement, and just have it working from day one. This helps to push technological advancements forward. We can focus on innovation and user experience, knowing that state-of-the-art solutions to some underlying technology are just there. Debricked helps open source deliver on that promise, making sure there are no blockers or speed bumps in the way. This includes finding, fixing, and preventing risks in terms of vulnerabilities and software licenses. However, our vision goes far beyond that.

Open source has become a huge ecosystem. Only on PyPI, there are more than 3.5 million releases. Being able to navigate this ecosystem, to really be part of it, and contribute back to it, will allow organizations to use its full potential. Open source is still in its infancy and we expect it to take a much bigger role in the future. Debricked wants to lead the way in how to embrace its power and make most of its potential.

What technology do you use to detect vulnerabilities across open source dependencies?

Our environmental analysis tools monitor a large number of databases and sources that publish information on vulnerabilities in open source. We cover both general sources, like NVD and GitHub Advisory Database, but also sources that are specific for certain programming languages. We also scan several other sources for additional information. Then, our machine learning algorithms analyze the information to extract accurate information related to vulnerabilities and affected products. This extra step can often remove false positives that you’d see reported in many other similar tools.

How do you think the recent global events affected the way people approach cybersecurity?

We have surely seen attacks and events that can be attributed to the situation in Ukraine. Still, cyberattacks have been on the rise for a long time and both people and organizations are becoming more and more aware of their presence and impact. Companies invest more in defensive technologies and security awareness, knowing that the cost of an attack far exceeds the investment cost. From a risk perspective, such a cost must be balanced by the probability of actually being an attack target. All security investments are a waste of money if there is never an attack. With the rise of cyberattacks, this probability today motivates much more resources to be put into cybersecurity.

Why do you think organizations often fail to see the full scope of their attack surface?

Security is complex. The attack surface is huge and it can rarely be motivated to fill all the holes. Here we come back to the risk-based approach. Where should we target our resources to minimize either the likelihood of an attack or its potential impact? This decision requires a thorough understanding of the organization, its products and services, the underlying architecture used to serve customers, and the customers themselves. The failure is not often missing certain pieces of security, but not understanding the importance of the underlying assets and how they are exposed. Making the right priorities is key to minimizing risks. What has happened in the last decade or so is that both the likelihood of attacks and the potential impacts have increased due to the digitization and the nature of the data that is used and protected. This has increased the overall risk and naturally motivates more resources to be put into cybersecurity.

In your opinion, why do certain companies hesitate to implement open source solutions?

Historically, there have been several factors for hesitation. Some are technological, like compatibility, documentation, reliability, and maintainability, while others are organizational, like support. But many of these factors are also related to adoption. Once open source increases in adoption, compatibility becomes better, documentation is improved, more people using the code expose more bugs, making it more reliable, and so on. Better open source through higher adoption is a self-fulfilling prophecy. And this is what we are seeing now. Adoption is increasing, leading to more adoption. The security factor has been much debated. Is open source or closed source more secure? In my view, the number of vulnerabilities is less interesting than the process of handling vulnerabilities. If fixes are deployed without delay, this is probably a better hygiene factor than the fact that there have been no vulnerabilities reported. Comparing open source and closed source, the transparency here is often more clear in open source since all code changes can be tracked. This also allows us to compare open source with each other in a much better way so that we can choose the most secure project. This is one aspect where Debricked can help adoption since we allow anyone to compare different open source projects, both from a security point of view and also by looking at the surrounding community and its developers.

What dangers can customers be exposed to if a company they trust struggles to ensure compliance?

In my view, apart from following regulatory frameworks, compliance adds two main factors. The first is to ensure a minimum set of practices that reduces risks and allows you to work in the right direction. The second is to make sure that you are not missing anything essential in the puzzle. This again comes back to risk. We can be super good at protecting some things, but that’s not worth anything if we completely forget to protect other things. There is no point in locking the door if the window remains open. In many of today’s digital services, companies are trusted with customers’ personal and sensitive information. Some because they want to, but many because they need to in order to provide the service. Exposing such information can lead to customers losing revenue, it can hurt their brand or expose them to further risks. From a user perspective, fraud and identity theft are common consequences when service providers don’t meet security requirements or simply miss out on some parts of their security measures.

Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves while browsing or using open source software?

For using software, having up-to-date versions with no security vulnerabilities is the most crucial measure. This is true for all software. Using vulnerabilities as an attack vector is today’s most common way of compromising systems and users. But if we just take a step back and consider personal cybersecurity in general, two measures stand out as most important. The first is to protect your account credentials, using good passwords and two-factor authentication. The second is to be wary of phishing attempts, both originating from emails, social media, and SMS. Always verify the sender and, if the sender is unknown, always question why someone wants your password or credit card details. If we can make all users better at those two measures, we would be in a much better place as a society, getting rid of many opportunistic attacks.

What does the future hold for Debricked?

We have tons of ideas on how to both improve our service from a technical point of view and also how to further improve the developer experience when using our tool. The acquisition by Micro Focus will allow us to implement many more of our ideas. We can do it faster since we will be hiring across almost all departments. The adoption of open source will continue to grow and Debricked will be a front runner enabling that. The main priority here is to make it easier for users to prevent, detect, and fix risks in an open source – faster and with even greater accuracy than ever before.