One of the things that comes with being an open source company is a commitment to transparency. As an industry, we mostly think about this in terms of source code, and at Sourcegraph we think of this in terms of the company itself, including product direction. I’d like to extend that to security. In the ideal world, security would be as open as our codebase, even if that ideal is a difficult reality. It might be an audacious idea, but it’s one that’s worth striving for.
For the most part, companies view security as a cost center instead of a strategic investment. As a result, security is seen as reactive rather than proactive, which has led to an average cost per incident of $3.86 million in 2020. Perhaps as a result, the average time to contain a breach now weighs in at a high of 280 days, up from 206 in 2019. It’s clear that there’s room for improvement.
It’s time to ask yourself, why don’t I know about a company’s security policies and procedures? Why do companies affirm that they adhere to guidelines and maintain policies, but don’t disclose those policies? Whilst procedures will always differ from company to company, at the very least we could be more transparent about them. Software development repeatedly gets a second set of eyes, through pull requests, architectural discussions, and testing. This is one of the things that open source tries to solve; security deserves the same treatment. Let’s call this improved direction Transparent Security.
At Sourcegraph, we’re starting down the path to Transparent Security. We’ve conducted our most recent penetration test with a trusted third party. You can download those results here. We maintain a private repository for security issues, but publicly discuss our roadmap and backlog. We disclose security vulnerabilities as they’re patched, and update our progress on the security front. In some cases, we’re public with the issues we’re addressing, but at the same time, we’re not fully transparent — yet.
Security should never be focused solely on responsible disclosure and responding in reactive mode. It’s about proactively doing what’s right, to protect data. It’s about professionals working together for the common good. A transparent approach means we’re collaborating on that proactivity with the public, not just the Sourcegraph team. You, dear reader, can help be that value, that second set of eyes! The next step for Sourcegraph is to run ongoing vulnerability scans, and publish them publicly. We’ll begin by doing so after we’ve addressed some of the vulnerabilities, and over time these reports will be provided closer and closer to real time. We’re in the midst of documenting our security policies, which we will post publicly in our handbook. This is only the beginning.
There are plenty of great ways to help us make a better, more secure product. You can report a vulnerability, or review the code, or even contribute to Sourcegraph. Maybe you’d like to share your thoughts on security with us by emailing [email protected], or even join the team!