Tython: Open-source Security as Code framework and SDK

Development teams utilize automation through Infrastructure as Code (IaC) to facilitate rapid and frequent changes to their cloud-native architectures. Security teams must adopt automation and incorporate security measures into code to keep up with the quickly evolving software development. Now, there’s Tython, an open-source framework that makes Security as Code (SaC) available to everyone.


Check that all databases have a Data Sensitivity tag

Tython allows security teams to build custom security reference architectures and design patterns as code. oak9’s security architecture team has used Tython internally for years to codify industry reference architectures from organizations like Cloud Security Alliance, NIST, AWS, Azure, GCP, OWASP, and more. The team recognized the importance of opening this framework to the larger community.

Tython benefits for security teams

Tython revolutionizes how security and development teams operate and collaborate — it democratizes security for developers, enables development and security to work autonomously, and creates shared responsibility around security.

“With Tython, your team can define and enforce security standards in code, automatically detect and remediate design gaps, and ensure that your security guardrails are in place. Plus, Tython’s bring-your-own-language approach lets everyone work in the programming language they know best. Tython gives you real-time feedback on code changes, so you can catch and address security issues before they become bigger problems,” Aakash Shah, CTO of oak9, told Help Net Security.

Bring-your-own-language model

“We are firm believers in developer and security freedom. This means allowing engineers to choose their tech stacks to solve customer problems. The bring-your-own-language model enables developers and security engineers to operate in the languages they are familiar with. This means a lower learning curve for them. In large environments with polyglot teams, different parts of the organization can collaborate while using the languages they are familiar with,” Shah commented.

Plans for the future

“We’ll continue to provide improved capabilities for security engineers to express complex security reference architectures easily. We’ll also provide platforms that allow the community to contribute and collaborate on security best practices by defining them in Tython. We’ll keep adding support for new languages beyond Typescript and Python as user feature requests come in,” Shah concluded.

Users can clone the Tython repository from GitHub within minutes, and build and test their security blueprints.

Don't miss