How Open-Source PKI Is Innovating Cybersecurity

Ted has worked in the security arena for over 25 years, including 10 years with the DOD and 15 years at Keyfactor where he serves as CTO.

Slowly but surely, DevOps teams are starting to receive their invites to the exclusive software security party. Where once their focus on high-speed development and deployment put them at odds with security teams that were always trying to rein them in, a small but growing number of developer and security teams are now working hand-in-hand to shift security left in the development process.

It’s a development strategy born of both necessity and opportunity. It shows the critical role developer teams play in securing business software—especially in a rapidly evolving cloud environment facing a changing threat landscape—but it also highlights the essential contributions the open-source and public-key infrastructure (PKI) communities continue to make toward creating more secure software.

Open-source licensing has long been a leading source of innovation in software development, drawing on a collaborative community of developers who contribute to a steady cycle of upgrades and corrections. Without it, many of the technologies we have today would not exist. Today, open-source technologies are being used extensively to improve the state of software security.

PKI, meanwhile, sits at the core of this confluence of DevOps, open source and security, providing a mechanism for securely sharing information.

Open-Source Tools, PKI Feed The Security Pipeline

The role that developer teams play in cybersecurity has evolved through the years. In traditional settings, security was often an afterthought—something applied to the finished product, if not after the software was already released. Over the past decade, the move to cloud platforms with dynamic applications and shared storage intensified the need for agile software development.

DevOps teams answered the call, quickly putting highly functional and scalable software into the CI/CD pipeline. Upgrades or new applications that once took months to develop and deploy were spun out over a weekend or within a day. But the speed of development often left any attempt at strong security behind.

We’re witnessing more security awareness with many developers “shifting left” and introducing security into the nascent stages of development. Their overall goal of creating software, applications and services that improve business outcomes may be the same. But in today’s high-stakes cyberattack landscape, software security is inseparable from business value.

And in bringing security into development efficiently and effectively, developers are tapping into open-source and PKI.

For example, AppSec and ops teams are taking a bigger role in building security into applications. These teams are increasingly relying on PKI and machine identities in the process, using open-source to implement security solutions using PKI, digital signatures and cryptography.

PKI empowers this work because it’s reliable and readily available—it’s the most used encryption, firmly established in many enterprises, with a proven set of standards to work with. Developer teams can easily access PKI, build upon it and integrate it within their own unique processes and infrastructure. We can expect this kind of adoption and acceptance over time.

The open-source community paved the way for this kind of collaboration. Using our software project EJBCA as an example, this open-source certificate authority (CA) has been offered as an open and collaborative project for more than 20 years, generating over 2,000 downloads a month.

Even as a widely used CA software today, EJBCA may have never gotten off the ground if it weren’t built on open-source standards. It certainly wouldn’t have the global reach and impact it has today.

The Benefits Of Open-Source Development

Open-source software (OSS), which has long been widely used for things like infrastructure and test automation, is becoming an increasingly important part of cybersecurity. As enterprises expand their highly distributed cloud-based networks, threat actors target network identities, whether in the form of human users, devices or applications.

The security of the software those identities interact with is critical. The collaborative, open-source approach, which has consistently demonstrated the ability to improve software over time, is valuable in a “shift left” approach to building security into software during the earliest stages of development.

In addition to helping enterprises secure their own software, it’s also become increasingly important for companies to better understand their software supply chain, particularly when it comes to cybersecurity. Supply chain attacks, such as SolarWinds, have become a favored tactic of nation-state and other actors, tripling in 2021. It’s yet another example of the importance of software security.

Other open-source tools and solutions are helping to enable DevOps’ security efforts, including Ansible for IT automation and Jenkins, an automation server that supports continuous integration. In each case, those solutions support and/or protect the scaled use of PKI certificates in the DevOps pipeline, helping to enable fast software development and deployment without sacrificing security.

Together, those and other tools underscore the importance of the open-source model to meet—and solve—the complexity and diversity of the challenges facing infrastructure today.

Fueling Future Cybersecurity Efforts With Open Source

Cybersecurity is the next frontier for open-source software. Open-source tools and solutions are easily accessible and adaptable for DevOps teams, as well as being highly scalable and easy to use. And the open-source model of open collaboration and contributions makes it a good bet that those tools will continue to improve.

PKI, meanwhile, helps maintain security during the process. As enterprises have become more distributed throughout the cloud, the overall focus on securing the expanded attack surface has shifted from perimeter defense to a zero-trust strategy based on continually authenticating identities. PKI, a venerable technology by today’s standards, works much like zero trust, providing unique digital identities while securing end-to-end communications.

And while many enterprises are still working through the great “DevOps vs. Security” debate, the shift towards security awareness is promising. This, coupled with the opportunistic benefits of marrying open source and cyber, can help create a forward-looking frontier.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?