Get the highlights in your inbox every week.
Pete Herzog: My open source story
How open source found me
This isn't a story about me finding open source—this is about how open source chose me.
What I knew about open source back then was Linux and everything GNU. Many of the tools in security were released as free, but not as open source software. Not anything, actually. They were tools people needed, and so they posted them on their website with the source code for others to use too—both as a contribution and as a way to show off something cool they built. It was a type of flag you waved for geek cred.
For me, open source started as a legal hoop I had to jump through. I had just left a job and the country. Before I could start the next chapter, I began to work on a methodology. Since it was another country, I had to get working papers and deal with red tape. Waiting in long lines left me a lot of time to think. At that time, I wanted to develop an optimal security testing methodology that was as thorough as it was correct. I wanted to make it based on scientific fact and not some best practices someone made up. Then I wanted to use it to bring efficiency, accuracy, and quality to penetration testing, and I spent all my time thinking about it.
On a train ride back from yet another consulate visit, it all came together. I figured it out. I mapped it out. It made sense. It worked.
I posted it online for comment. And people did. The methodology improved. And that's when I noticed something about science had shifted. Something big.
Maybe Isaac Newton saw farther because he stood on the shoulders of giants. But with open source solutions, we no longer needed giants. Open source software means we can see just as far with regular people, like me. We don't always need great academics and scientists to do great things. We just need many sincere people who want great things and are willing to help make it happen.
You see, it turns out that in science fact doesn't come from the grand leaps of discovery, but rather from the small, careful steps of verification. That made it ideal for open source because we didn't need a giant to make a great leap, we just needed many people to help verify our methodology one small step at a time.
Figuring this out early made my venture into open source software a really satisfying one. This meant that open source wasn't a means for having a community help write a methodology. It was about writing a methodology and building a community to help me make it the one that we all needed to use.
So open source chose me. It was the right fit for science and discovery, and so it just happened. I can't take credit for any of that. But it's not the reason why I decided to work in open source.
Now when you work in information security, it's hard to be out of work for very long. You have to actively try to remain unemployed. Therefore the moment I had my working papers, I began working. The big corporation that hired me even assisted in making my papers come through faster so I could start sooner.
After a few weeks of work, a project came up to test security. We had to create a method for the team to do the tests. "Perfect," I thought, "I have just the thing." There was one problem though, the company didn't know if we could use a random methodology off the Internet. I told them I wrote it. They said they needed to talk to the lawyers as it might be that if I bring it into work I am giving them ownership. And that was something I never once considered.
You see, collaboration is a part of life. Licensing isn't, and I was skeptical about making it open source. As I said, at the time there was little known about using it for a document. There was a version of the GPL for documentation but again that was more for technical writings that supported software. It didn't fit a methodology. There was an open source cookbook released as GPL but it just collected different people's recipes from a community not build a tool.
I needed something that let companies like mine use it, but not change it or in any way diminish the quality of the work. As a method it needed to standardize how security was tested, which couldn't happen with hundreds of versions floating around.
So I figured I just needed to call it open source and then it was, like magic. I don't know why I thought that, and please excuse me for being young and dumb, but I'm sure you've all got your own share of stupid moves too from your youth. So I named it the Open Source Security Testing Methodology Manual, the OSSTMM. It's a damn ugly name for a beautiful piece of science, and I regret naming it that every day instead of something more marketable. But I only did it to make it open and free as quickly as possible so I, and everyone else, could use it at work.
Except, as the lawyers pointed out, there was no license. Not even a copyright.
In the meantime, the OSSTMM had grown a small community of people from around the world. After talking to them about it, somebody suggested I copyright it and leave the copyright with a nonprofit organization to promote it. So we did that with ISECOM.
Later we learned that a methodology couldn't be copyrighted as it was legally considered a trade secret. All I was doing was copyrighting the written words, but not protecting the method. What we needed was an open trade secret, which didn't exist. So I talked to lawyers.
I spent a weekend creating the Open Methodology License (OML), which originally borrowed heavily from the GPL with the only purpose of labeling something as a Trade Secret with the owner being everyone. An open trade secret. Go figure. That let us keep the methodology open and free while restricting forks and rewrites of the document as a standard that industries could uphold for regulatory requirements.
In the end, my company's lawyers accepted the OML and my team could use and further improve it by verifying each little step.
And that's my happy, triumphant, open source story.