From Ruins to Resilience: How Developing and Utilizing Open Source Solutions Enhances CSIRT Capabilities

From Ruins to Resilience: How Developing and Utilizing Open Source Solutions Enhances CSIRT Capabilities


”Some cities have fallen into ruin and some are built upon ruins but others contain their own ruins while still growing.” Jeffrey Eugenides

Introduction

At CIRCL (Computer Incident Response Center Luxembourg), part of the Luxembourg House of Cybersecurity (LHC), we embarked on a journey to build and sustain open-source solutions for CSIRTs. With over 14 years of experience, we’ve gained valuable insights into open-source software development and community engagement in the cybersecurity field. Below are some of the key lessons we’ve learned along the way.


When you buy proprietary tools, you’re at the low end of both “doing” and “capabilities.” You rely on external vendors, and your organization has less control over customization or internal improvement. Integrating proprietary or open-source tooling via APIs is a step up in capabilities. You are working to connect systems but may still be reliant on external providers for updates or changes. Contributing to open-source projects increases both capabilities and autonomy. At this stage, your organization is actively shaping the tools it uses, and you’re likely interacting directly with the open-source community. The peak of capabilities and “doing” occurs when your team is actively maintaining open-source tooling. Here, the organization takes full ownership of development, support, and customization, gaining the highest level of control and expertise or even rewarding from a creative experience.

First Lesson: Publish and Embrace Criticism

Read more about our methodology framework


Second Lesson: Practice Vulnerability Handling

Read more about MISP security and our approach to coordinated vulnerability disclosure


Third Lesson: Open Source as a Facilitator for Partnerships


Fourth Lesson: Managing the Ruins of Software Dependencies

What about the ruins quote?

“Some cities have fallen into ruin and some are built upon ruins, but others contain their own ruins while still growing.” Jeffrey Eugenides

Software and security are indeed built on top of ruins. There are different ways to acknowledge this fact. One option is to ignore it and let the city fall into disrepair. Another is to simply build on top of the existing ruins. But the most interesting and rewarding approach is to embrace the ruins and use them as a foundation for growth. Open source and software, in general, are full of such ruins, and that is precisely how growth happens.


Fifth Lesson: Open Source as a Standard Generator


Sixth Lesson: Learning from Threat Intelligence Collection


Seventh Lesson: Embrace Failure


Learn more about CLA-free initiatives


Ninth Lesson: Open Source as a Tool for Staff Retention and Skill Development


Conclusion

The open-source journey for a CSIRT team is challenging but rewarding. It pushes back against the status quo, enhances team capabilities, and allows for a focus on developing staff instead of acquiring products. By continuously contributing to and maintaining open-source projects, organizations can significantly boost their capabilities.


Additional Notes

Does this apply to other teams or organizations besides CSIRTs?

Most likely, these experiences have been shared by various teams, and some of the lessons may also apply to your organization, team, or project. Feel free to adapt and use any of these ideas.

Acknowledgement

Thanks to my teammates and colleagues at CIRCL for the discussions and work on this topic over the past 14 years. A special shoutout to Jean-Louis for the insightful conversations around Turn the Ship Around. This presentation was first given at the CERT-EU Conference 2024. Many thanks to the CERT-EU team, and especially to Saâd Kadhi, for the opportunity and support.

Some Open Source at CIRCL