Research

The Power of Composability: Building Security with Open Source Ecosystems

Learn how reusable security components help teams observe cloud environments, orient with standards, make informed decisions, and take coordinated action.

Turbot Team
15 min. read - Apr 24, 2025
Learn how reusable security components help teams observe cloud environments, orient with standards, make informed decisions, and take coordinated action.

If there's one thing we've learned from years of building cloud security solutions, it's that no single tool solves everything. Not even ten tools can address all the security challenges that modern organizations face. But what if we approached security differently? What if we built our security architecture to be as flexible as the cloud itself?

At the recent Open Cloud Security Conference, our CEO and co-founder Nathan Wallace shared Turbot's vision for composable security. Drawing from his experience leading cloud and DevOps at Johnson & Johnson back in 2012 (when cloud was still considered "evil" in many enterprise settings), Nathan outlined how open source tools and composable architectures can transform our approach to cloud security.

Check out the full talk below, or keep reading for a summary of the key points.

Why Cloud Security Is Hard

Let's face it: cloud security is challenging and getting more complex by the day. Most organizations run multiple public clouds with hundreds of services that constantly evolve. Each AWS re:invent or similar cloud conference introduces new capabilities that teams eagerly adopt, leaving security professionals scrambling to understand and secure them.

Meanwhile, development teams can deploy infrastructure with just an internet connection and a credit card. This is precisely the agility businesses want, but it creates a fundamental challenge for security teams: how do we enable innovation while maintaining appropriate guardrails?

The stakes are higher too. Cloud environments can expose mistakes more publicly than traditional data centers, and customer expectations for security have never been greater. Even after identifying issues, implementing fixes without disrupting operations remains difficult.

The OODA Loop of Cloud Security

Security fundamentally works as what military strategists call an OODA loop: Observe, Orient, Decide, and Act. John Boyd developed this concept for the US Air Force as a framework for situational awareness and decision-making. This same model applies perfectly to cloud security:

  • Observe the state of your environment (like S3 buckets)
  • Orient yourself with standards (buckets shouldn't be public)
  • Decide on a course of action (prevent public buckets)
  • Act on that decision (implement controls)
OODA loop

Let's examine how composability enhances each stage of this loop.

Observe: Making Data Accessible

Security starts with observation, which means data collection. The challenge? Security data comes from hundreds of sources: cloud services, logs, APIs, SaaS tools, and more.

For this data to be useful, it must be:

  • Fresh and accurate, not days or weeks old
  • Consistent and queryable across platforms

At Turbot, we built Steampipe to address this challenge. By standardizing access to diverse data sources through SQL, we created a common language for security data. Want to check if GitHub users have MFA enabled? That's a SQL query. Need to verify if AWS EBS volumes are attached to instances? Also a SQL query!

select
name,
login,
created_at,
two_factor_authentication
from
github_repo_user;

This SQL layer doesn't just serve security teams. It provides value across the organization, from DevOps to finance to application teams. Anyone can query cloud resources using familiar SQL syntax.

The plugin model makes Steampipe incredibly extensible. We've developed over 170 plugins covering major cloud providers, SaaS platforms, and infrastructure services. The community has added even more, creating plugins for everything from Salesforce to SAP.

Orient: Customizing Standards

Once you can observe your environment, you need to interpret what you see through the lens of standards and best practices. Here, the security community already has strong foundations: CIS benchmarks, NIST frameworks, PCI standards, and others provide common languages for security controls.

These standards accelerate assessment by offering predefined best practices. They're also inherently composable - controls can be grouped into benchmarks, mapped across frameworks, and adapted to different contexts.

However, every organization has unique requirements. Some need to keep data within specific regions. Others require server rotation every 60 days. Some prohibit IAM access keys entirely, while others rely on them for external integrations.

Powerpipe addresses this by building on Steampipe's SQL foundation. Controls are defined as simple queries against the data layer, then composed into custom benchmarks that blend standard frameworks with organization-specific requirements.

OODA loop

Decide: Adding Context and Workflow

Standards tell you what's wrong, but deciding what to do requires organizational context. Is this finding critical in your environment? Who should fix it? Will remediation break anything? Is this in development or production?

Running a CIS AWS compliance report might take seconds, but deciding what to do with the results requires organizational context and workflow integration.

Flowpipe builds on the previous layers to enable workflow integration. It queries the standardized data layer and routes findings through appropriate channels like Slack notifications, helping organizations make and communicate decisions.

Act: Implementing Changes Safely

Finally, implementation often requires coordinated action across teams. Security rarely presses the "fix" button directly - instead, they collaborate with application teams to implement changes in trusted ways.

Composability helps here too. Flowpipe provides reusable pipelines for common actions, such as deleting an access key by running AWS CLI commands in containers. By making remediation code readable and reusable, it builds trust and understanding across organizational boundaries.

The Compound Effect of Composable Security

When these layers work together, something remarkable happens - a compound effect emerges where each component provides value independently while enhancing the others. Improvements at any layer benefit everything built on top of it:

  • Add a new Steampipe plugin, and suddenly that data is available for Powerpipe reports and Flowpipe workflows
  • Enhance Powerpipe reporting, and those improvements apply to all your existing data sources
  • Create new Flowpipe workflows, and they work across all your cloud providers

"Security is genuinely just better when it's code," as Nathan emphasized. Code can be read, tested, shared, customized, and extended. It's also AI-ready, making it easier to create new components by leveraging existing patterns.

Security as a Team Sport

Perhaps most importantly, composable security transforms security from a gatekeeper function to a team sport. By making security tools smaller, more accessible, and more transparent, more people can contribute.

Open source components foster understanding and collaboration across organizational boundaries. Developers can see exactly what security checks are running and why. Security teams can leverage the collective wisdom of the community. Everyone benefits from shared improvements.

Building Your Composable Security Architecture

As cloud environments grow more complex, security approaches must become more flexible. No single tool can solve all problems, but by connecting the right pieces through standardized interfaces and extensible components, we can build security architectures that evolve alongside the threats we face.

The open source tools we've built at Turbot - Steampipe, Powerpipe, Flowpipe, and Tailpipe - provide a foundation for this composable approach. Each addresses a specific part of the security lifecycle while integrating seamlessly with the others:

  • Steampipe: Query cloud infrastructure with SQL
  • Powerpipe: Implement compliance checks and dashboards
  • Flowpipe: Automate workflows and remediation
  • Tailpipe: Analyze cloud logs and events

Together, they form an ecosystem greater than the sum of its parts - one that adapts to your organization's unique requirements while leveraging the collective wisdom of the security community.

By thinking of security as composable, extensible components rather than monolithic solutions, we can build systems flexible enough to meet today's challenges and tomorrow's threats.

Start composing your security architecture today

Ready to explore the power of composable security? Check out our open source tools and start building your own security architecture today with Steampipe, Powerpipe, Flowpipe, and Tailpipe. Join the conversation in our Slack community to share your experiences and learn from others!