Telling people about the virtues of open source security tools is like selling people on ice cream sundaes: It doesn’t take much of a sales pitch — and most people are convinced before you start.

It’s probably not surprising that most security professionals are already using open source solutions to put a cherry on top of their existing security infrastructure. From Wireshark to OpenVAS and Kali Linux, open source software is a key component in many security practitioners’ arsenal.

But despite the popularity of open source tools for technical tasks, practitioners often view risk management and compliance initiatives as outside the purview of open source. There are a few reasons for this. Open source projects that directly support these efforts are harder to come by, and there’s often less urgency to implement them compared to technical solutions that directly address security issues, for example. Although open source solutions aren’t always top of mind when it comes to these broader efforts, they can help IT teams maximize the value of their risk management frameworks and boost the organization’s overall security posture.

5 Ways to Supplement Your Risk Strategy Using Open Source Software

Two years ago, we compiled a list of free and open source tools to help organizations build out a systemic risk management strategy. Since much has changed in the cybersecurity world since then, let’s take a look at some additional tools that can help you cover more ground, drive efficiency and add value to your existing risk management strategy.

1. Threats and Situational Awareness

All security practitioners know risk is a function of the likelihood of a security incident and its potential impact should it come to pass. To understand these variables, it’s crucial to examine the threat environment, including what tools attackers use, their motivations and methods of operation, through formalized threat modeling.

When it comes to application security, threat modeling enables practitioners to unpack software and examine it from an attacker’s point of view. Tools like OWASP’s Threat Dragon and HTML5-based SeaSponge help security teams visually model app-level threats. If used creatively, they can be extended to model attack scenarios that apply to data and business processes as well. Security teams can also incorporate threat modeling directly into governance, risk management and compliance (GRC) processes to inform assessment and mitigation strategies.

2. Workflow Automation

Logistical and organizational considerations can have a significant impact on risk management. The process has a defined order of operations that might span long periods of time, and it takes discipline to see it through. For example, risk assessment should occur before risk treatment, and treatment should be completed before monitoring efforts begin.

It’s also important to account of interdependencies. It might be more effective to assess a RESTful front-end application before the back-end system it interfaces with, for instance. It’s all about timing: If you assess the risk associated with an application or business process today, what will happen a year from now when the business process has evolved? What if the underlying technology shifts or the business starts serving new customers? What about five years from now?

Process automation tools, such as ProcessMaker and Bonita, can help security teams support both of these aspects of the risk management process. These are not necessarily security solutions, but tools designed to build and automate workflows. In a security context, they can help analysts automate everything from policy approval to patch management. For risk management specifically, these tools help security teams ensure processes are followed correctly, and risks are reassessed after they’ve been completed.

3. Automated Validation

The process of implementing a risk mitigation strategy has two steps: The first is to select a countermeasure or control to address a certain risk. The second is to validate the effectiveness of that countermeasure. It can be extremely time-intensive to execute the second part of the process consistently.

The Security Content Automation Protocol (SCAP) can help security leaders ensure the validation step is performed consistently and completely. Introduced in National Institute of Standards and Technology (NIST) Special Publication 800-126, SCAP enables analysts to define vendor-agnostic security profiles for devices and automatically validate their configuration.

One benefit to using SCAP for validation is the degree of support in the security marketplace. Most vulnerability assessment tools natively support it, as do a number of endpoint management products. By employing tools, such as those available from the OpenSCAP project, security teams can derive value today and in the future as security toolsets evolve.

4. Documentation and Recordkeeping

Risk decisions made today are much more defensible in hindsight when there’s documentation to support them. Let’s say, for example, that you’ve evaluated a countermeasure and decided that the cost to implement it outweighs the risk — or that your organization has reviewed a risk and decided to accept it. Should the unthinkable happen (e.g., a data breach), it’s much easier to justify your decisions when there’s documentation supporting your analysis and the conclusions you’ve drawn. While any record-keeping tool can help you do this, a specialized solution, such as the community version of GRC Envelop, can add value because it was developed with risk activities in mind.

5. Metrics and Reporting

Finally, open source tools can support ongoing metrics gathering and risk reporting. There are numerous aspects of a risk program that are worth measuring, such as near-miss information (i.e., attacks that were stopped before causing damage), log data, mitigated incidents, risk assessment results, automated vulnerability scanning data and more.

Tools like Graphite are specifically and purposefully designed to help security professionals store time-series data — numeric values that change with time. Collecting and storing the data enables analysts to report on the risk associated with those assets. The more frequently they collect it, the closer they can get to producing a continuous view of the organization’s risk profile.

The Cherry on Top of Your Risk Management Strategy

As we’ve shown, there are quite a few open source alternatives out there that can add value to the risk management activities you may already be performing. By choosing the right tools to supplement your strategy, you can drive efficiency with your risk efforts, realize more valuable outcomes and improve your organization’s overall risk posture today and in the future.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Tech Stack Diversity: Security Benefits and Costs

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming "we have the solution" is almost equally exhausting. Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…