How To Be Successful with Open Source Security Tools and Projects

July 22, 2015

In today's Whiteboard Wednesday, Tod Beardsley, Security Research Manager at Rapid7 will discuss the steps you should take to become successful with your next open source project.

Video Transcript

Hi, this is Whiteboard Wednesday here at Rapid7, I'm Tod Beardsley, security research manager here. But instead of talking about security today, I'm going to talk more about open source software development, which is a cornerstone of our success here at Rapid7, especially with Metasploit Framework, which as you may or may not know is hosted on GitHub. So we're going to talk about secrets to GitHub success.

Show more Show less

I think the number one key to our success is the diversity of our contributors. We have contributors from all over the world, from lots of different backgrounds, many of whom are not professional software engineers. They're hackers. They're hobbyists. They're tinkerers. They're QA people. They're IT people. They're doc writers. And so that just in and of itself has been really, really, really helpful for us.

When you have an open source project that is only worked on by maybe members of your immediate team that you work with every day, you run a risk of accumulating this pile of tribal knowledge that only you know. You may never communicate out certain things about your development environment to the Internet. And so it gets really hard for new people to show up and jump in. So we make a conscious effort to ensure that we don't run into that trap. When we have this diversity of our code base, it's really hard to accumulate tribal knowledge because we're always having to tell people how to do things.

Also, when we have contributors who have just way different backgrounds, right, we're not all white and male and mid–career and native English speakers. That in itself is a huge strength because it forces us to communicate in ways that are accessible to basically everyone who wants to get started on that. I'm really happy about that.

So when we have new contributors show up, it's a real hassle to treat them with respect because it's so much easier just to yell at people for doing it wrong or ignoring them when they maybe submit something that is not exactly what we want. But if we ended up doing that all the time, our projects would all die. So we don't do that. We do try to treat everyone with respect. And that in itself is sometimes a little bit trying when you have total newbs, but I really like having new people show up because, again, that just constant influx of new blood and new perspective really helps us keep all of our projects on track.

If you are looking to get started in some open source development, especially in security, I would totally expect you to go to Metasploit. It's a pretty big project. But it is many, many, many thousands of lines of code, right? We have about 60 or so public repos out there. GitHub, of course, has hundreds of thousands to millions. So there is a project for everyone, from little to big. And they all have a desperate need for you to help out.

And the takeaway for you is that you end up getting that diversity boost in your background, right? When you start dealing with maybe groups of people that have never dealt with someone like you before, you tend to learn things. They learn things. Everybody learns things. Software gets better. The world is a better place.

So if you want to jump in on any of our projects, we're at If you'd like to learn more about maybe the social background of producing open-source software and open-source governance and all that, I really, really like the book "Producing Open Source Software." It's available for free on You can also buy it if you are the sort to buy things that are available for free. And yeah, so it's super fun writing open source.

So thanks for watching. And we'll talk to you next week

[Toolkit] CIS Top 20 Controls

Looking to implement the CIS top 20 security controls? Download our toolkit to get started.

Download Now