When I was an early teen discovering hacking, I remember using cool tools like nmap, sqlmap, wireshark, and metasploit. These were my go-to tools and they worked really well. On the side, I tried my hand at Python, PHP, and MySQL to build basic applications.Fast forward 10 years, and we see a lot of innovation within the developer community. We now have fancier open-source frameworks and the capability to scale servers in seconds, among other advancements. However, strangely the growth in security tools hasn’t quite matched up.

In fields like development and cloud infrastructure, we’ve seen tremendous enhancements and innovations with tools like terraform, docker, and kubernetes. But when was the last time you heard about a new, innovative, up-to-date open-source security tool addressing the CVEs, new vulnerability types, and newest attacks? Development tools have become so user-friendly that even non-developers can build a website in minutes, but can non-infosec individuals similarly integrate security tools with such ease?

Classic scanning tools like openvas, metasploit, sqlmap, and owasp zap have been top-notch and immensely helpful to users and companies. Yet, the pace of innovation in infosec has been slow compared to that in development tools.

I believe there are a few reasons that contributes to this. Perhaps the influence of big players, who heavy paywalls, makes these tools less accessible. Security often seems more complicated than it truly is, which might discourage a wider audience of developers and DevOps professionals. The perception that open-source tools are less user-friendly, buggy, or lack support has persisted, though this is changing with growing communities like of ProjectDiscovery. Additionally, there’s a view that paid tools are inherently more reliable and up to date. Security is a risky business, and companies often approach it with a mindset of ‘Take my money and secure me”.

Additionally, in the security, secrecy is often paramount, whether it’s in the context of bug bounties or general security research. Individuals tend to keep their exploits, new attack vectors, and techniques mostly to themselves. The sale of exploits and zero-days is big business, often POCs are kept private to maintain a competitive edge, yet this approach leaves the wider internet vulnerable. The time from public exploit disclosure to patching is lengthy, and black hats can always reverse-engineer the latest CVEs to exploit hosts across the web.

Because security is a serious business compliance and certification requirements also hinders the adoption of open-source security tools in certain industries like banking. However, this is changing, and trust in open-source tools is growing among security professionals.

With advancements in blockchain, cryptocurrencies, free speech social media, and AI, communities are forming around the globe with shared goals and values, transcending traditional approaches to technology and work. I feel opensource will be more innovative because they are mostly run by passion-driven amateurs who can produce work of equal or superior quality compared to professionals of big companies.

I remember reading a quote from Steve Jobs in his last email to himself somewhere on the internet which highlights our interdependence and shared innovation:

I grow little of the food I eat, and of the little I do grow.
<code><span style="background-color: initial; font-family: inherit; font-size: inherit; text-align: initial; color: initial;">I did not breed or perfect the seeds.</span>I do not make any of my own clothing.
I speak a language did not invent or refine
I did not discover the mathematics I use.
I am protected by freedoms and laws I did not conceive of or legislate, and do not enforce or adjudicate.
I am moved by music I did not create myself.
When I needed medical attention, I was helpless to help myself survive.
I did not invent the transistor, the microprocessor, object oriented programming, or most of the technology I work with,
I love and admire my species, living and dead, and am totally dependent on them for my life and well being.

Beyond security tools, I truly believe that open source is the future. Eventually, all major corporations will need to adopt greater transparency and openness otherwise, they won’t be able to maintain the pace of global innovation. The impact of open source is only growing stronger. All of humanity is interconnected, relying on collective innovation. As boundaries blur with the rise of remote work, cryptocurrencies, and AI, the true catalyst for change will likely be AGI.

Paul Graham was truly visionary when he wrote about this in 2005. You can read his thoughts here: Paul Graham on Open Source.

At ProjectDiscovery, particularly within the nuclei-templates community, we’re pushing the boundaries of open-source innovation. For instance, AWS cloud configuration reviews can be conducted using the modular, portable, and configurable open-source nuclei-templates, which provide full control to the user to write their own checks. We’ve seen contributors add templates for new CVEs within hours to days of their disclosure, which enables everyone, from large public companies to garage startups, to secure their assets easily and for free.

By open-sourcing critical research in fields ranging from security to healthcare to AI, we could significantly impact society. This approach has the potential to access to powerful technologies, including AGI

Open-source empowers more individuals to participate in and benefit from technological progress, thereby enhancing security education and awareness among developers.

Kudos to all the new open-source security and scanning tools like ffuf, kiterunner, axiom, rustscan, and prowler etc…

Personally, I would encourage everyone to contribute to initiatives that ultimately make the world a better place. I’m particularly interested in seeing the opensource trend expand into the security and medical industry, where people can take control of their general health through open-sourced research. The same goes for AI. A company possessing AGI would have unprecedented leverage over the entire world, making it more powerful than we can imagine. Thus, I firmly believe in opensourcing.

- pwnmachine