It’s never been easy to be a cybersecurity professional; it’s downright challenging today, and that’s frankly an understatement. New threats emerge constantly: over 40,000 common vulnerabilities and exposures (CVEs) were released in 2024, an increase of over 38% compared to 2023 numbers. That’s an average of 109 per day.
Aside from CVEs, there are a number of other threat vectors, including those driven by AI. After an already-difficult 2024, 93% of cybersecurity leaders are expecting daily AI-based attacks this year. In particular, AI is supercharging phishing by making phishing emails sound more convincing, creating deepfakes that are hard to spot, and even speeding up brute-force password guessing or scanning for vulnerabilities.
To make the situation worse, bad actors are often part of a team. For example, Salt Typhoon, which was recently back in the news for a Cisco hack, is believed to be a Chinese-government-affiliated group of hackers. Threat groups can act in concert to find and exploit vulnerabilities on much bigger scales than a singular hacker can – they have more man-hours, more resources, and so on. On top of that, bad actors only have to find one hole in a cyber defense. Cyberdefenders have to be perfect (or as close to perfect as humanly possible).
Fortunately, cybersecurity professionals can also work in a team, and I mean outside of the teams they have at work. The global cybersecurity community has put a lot of time and effort into supporting each other and sharing knowledge.
For example, there are organizations like OWASP, the Open Worldwide Application Security Project, which dates back to 2001. Both myself and Matt Tesauro, our CTO, have deep relationships with OWASP. Over the years, they’ve developed things like SAMM (the Software Assurance Maturity Model) and the ASVS (Application Security Verification Standard)—frameworks, tools, and references that are open for anyone to use and volunteer-powered.
Having seen the power of community for ourselves via OWASP, we chose to build DefectDojo as an open-source project when we launched it. Having our community of users has been an invaluable resource as we build and improve our platform. Contributors like those in our Hall of Fame have helped revamp our UI, improve our code significantly, field issues, and more. This kind of collective wisdom has been essential to DefectDojo’s Community Edition continuing to help users tame their cybersecurity data and adopt a unified vulnerability management approach.
In addition, our close relationship with our community has had a significant impact on our roadmap. For example, our most recently-released tools, the universal parser and rules engine, were both requested by our users. Both Matt and I are on GitHub regularly to keep DefectDojo up to date and see what our users are requesting next or answer questions they may have.
Our cybersecurity corner is just one part of a larger open-source software movement. Open-source software (OSS) as a whole would cost almost $9 trillion for companies to create on their own. 96% of commercial code bases tested in one survey were found to use some sort of open-source software, and not just in small pieces: the Linux Foundation has found that code bases are usually made up of 70-90% open-source software or code.
It can be easy to lose sight of the power of the community in our individual-focused society. But cybersecurity problems aren’t limited to companies of certain sizes or with so many employees. Bad actors don’t discriminate. They’ll attack businesses and cybersecurity teams of all sizes and means. Without the collected wisdom and knowledge contained in open-source software like that provided by OWASP or DefectDojo, our world, our businesses, and our tech would be a lot less secure.