Open source software is the norm these days rather than the exception. The code is being written in high volumes and turning up in critical applications. While having this code available can offer big benefits, users also must be wary of issues the code can present and implement proper vetting.
Josh Bressers, cybersecurity strategist at Red Hat, emphasized this point during a recent talk with InfoWorld Editor at Large Paul Krill.
InfoWorld: Why is Red Hat getting on the soapbox about open source security?
Bressers: We've been on this soapbox for a long time. Fundamentally, there's a supply chain with software. In the past, you've not really thought of software using the supply chain concept. [In the past, it was thought of as] some dude writes software, and that's how it is. We're realizing now that there are vendors, and vendors provide you with a thing that goes into your product and obviously it's designed in a way that with a supply chain if you use low-quality parts, by definition, you're only going to get a low-quality product out the other side.
I think we're starting to recognize that if you're just grabbing any piece of software you find from a commercial vendor or from the open-source community and you don't know what it is or it's not vetted and you don't know the quality, you put your final product's quality at risk.... You have developers going out to GitHub, going out to Stack Overflow, and they are downloading code. They're not necessarily paying attention to what they're getting and how it's being taken care of.
Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.
InfoWorld: Where do you go from here?
Bressers: Fundamentally, what it comes down to is you need to understand where your software came from, which means in the open source context, you have to think of open source as a third-party vendor, which means who's paying attention to it? From an organizational perspective, you need either a team paying attention and taking care of this, or you need to find a vendor to work with who will be your representative here and will do all the heavy lifting in terms of vetting the software, understanding what's good, what's bad, keeping it updated, making sure you understand what that means.
That's the piece that's missing today. There's lots of organizations that have developers that will go out, find what they need in the open source universe, pull it in, and then they don't think about it a second time. Obviously, if you do that, if you never update this stuff, eventually there's going to be some sort of problem that you have to deal with in the software. Think of something like Heartbleed. It's a great example where people had literally just pulled this OpenSSL version into their applications, and a lot of them didn't even realize it was there.
InfoWorld: So what do you do about this situation?
Red Hat: I can tell you what Red Hat does, and every organization will be different. We have a team that's dedicated to paying attention to the open source universe, and they watch for security issues. This is where open source is unique compared to some of the third-party, typical software vendors, we could say, is there's a very understood relationship there where essentially they have a product, you pay them for the product, and the expectation is they will maintain it and you will go to them for help and support. In open source, it doesn't exactly work like that. You have two choices.
Number one is you go to a vendor that specializes in essentially productizing open source. [That is] the traditional software vendor relationship. However, there's the alternative option now where you can actually treat open source as your vendor, but it doesn't work in the same way now because you have to pay attention to the community and you probably have to get involved.
I would say if you have an organization that's concerned about this and they are using open source, they need people in-house who can work with the community, who can understand what's being used, and then they can engage at the appropriate level depending upon what's being used. The other side of this coin is you have to make sure that your developers aren't just pulling any random piece of stuff they find. You have to actually have a vetting process to ensure that the software you're using is accounted for so there are no surprises. [And] it has to be high-quality.
InfoWorld: What kind of vetting do you do of the Linux kernel?
Bressers: At Red Hat, obviously, we're known for Red Hat Enterprise Linux but even Red Hat Enterprise Linux is literally hundreds of other open source components put together. It's not just the Linux kernel. The Linux kernel is a big piece of it. Granted, a very important piece. Even though we have tons of kernel expertise, we still have people who focus on the security of the Linux kernel and making sure that we understand what's going on in these kernels: Does this stuff make sense, what are the security issues that we're seeing? What do we do with them, how do we fix them, what's going on?
Heartbleed affected the OpenSSL library, and that was included in Red Hat Enterprise Linux, but we also included it in some of our middleware products, for example, for shipping web servers. We had various other products that used the OpenSSL from Red Hat Enterprise Linux embedded into their own product like an image that could ship them. We pay attention to all of these pieces, and we have teams dedicated to just paying attention to this stuff to make sure that we're using good software that's being vetted.
InfoWorld: What processes do you use at Red Hat, and what do you recommend for others?
Bressers: This is going to depend on, team size, maturity level and just talent to some degree. We fuzz-test certain libraries and applications inside Red Hat. We do automated source code scanning. We do some level of manual scanning. We have a bunch of internal tools that will look at the artifacts that we build, which are making sure we're not making obvious mistakes or making sure that, for example, when you have an RPM package that installs the application or library onto the system, is it putting things in places that make sense? We have dedicated build systems so we understand what's being built, how it's being built.
InfoWorld: Would you say open source software today is more secure than it was five years ago? Is it more secure than proprietary software?
Bressers: Open source is not more secure than proprietary software nor is it less secure. The concept of proprietary software doesn't really exist anymore because virtually every organization has open source inside of the products they're building.
You also asked, is open source more secure today than it was five years ago? There isn't good information on this, necessarily. I would hesitate to say we're more secure. But I think we better understand a lot of the problems, I'm willing to say. Because we have various groups, and Red Hat is one of these and there are also various bug bounties that exist. There are security groups in places like Google that are doing a bunch of testing. There's all these organizations now that everybody is using open source, they're starting to give back. I suspect that as long as things continue the way they are, the future will be better than the past but, of course, it's up to us to make sure we get there because if people stop contributing back to the community, the power of open source is lost. That's the key here around security. You can't just take it and use it. You have to be involved and be a part of it.
InfoWorld: What's next for securing open source software?
Bressers: The big thing that's happening now is this concept of open source needs to be part of your supply chain. The message is starting to get out there, but I don't feel like it's where it needs to be yet because I still think there are a lot of organizations that are treating GitHub or Stack Overflow as a bunch of free software they can just take and that's fine, you never have to worry about it again. But it's not like that. My comparison here would be, what do you think would happen if a car manufacturer literally found some parts in the warehouse? They didn't know where they came from, they didn't know who made them but they're like, "They look great, let's just use those." That would end horribly. That's kind of where we're at in some of these instances where you've got developers just like, "That looks great, I'll take that." We're reaching a point now where we need organizations using this stuff to start understanding their supply chain with open source as part of it.
Error: Please check your email address.
More about GoogleLinuxRed Hat
More:
Open source users: It's time for extreme vetting - Techworld Australia
- Wyplay’s Digital TV Middleware Source Code is Now Available to Members of the Frog by Wyplay Community [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Find Open Source Alternatives to commercial software | Open ... [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Open Source Initiative - Official Site [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- SCALE 11x: Evolution of an Open Source Software Foundation - Stephen Walli - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Bitcoin Baron Keeps a Secretive Open Source OS Alive [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- osalt.com - Find Open Source Alternatives to commercial ... [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Sustainability of Open Source software communities beyond a fork - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Bringing MoreWomen to Free and Open Source Software - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Acquia podcast with Sensio Labs UK - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- xTuple ERP + OrangeHRM Open source software leaders integration - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
- Guest articles setting out the author's position on the current status and future directions of KDE and its software [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Open Source Power for Small Business in 2014 [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- EnterpriseDB Expands in Korea to Meet Rising Demand for Postgres [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Introduction to FOSS - Free and Open Source Software - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Out in the Open: Teenage Hacker Transforms Web Into One Giant Bitcoin Network [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Who says that Open Source Software does not have support? By Rosaria Silipo - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Microsoft Open Sources Its Internet Servers, Steps Into the Future [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Microsoft cloud server designs for Facebook's Open Compute Project [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Richard Stallman Free v Open Source Software - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- UK government looks to open source to cut costs [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Free Software + $20 USB Dongle = Software Defined Radio, Hak5 1524 - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Libreoffice 4.2 challenges Microsoft Office with improved Windows integration [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Fallout 3 Let's Play Pt 6 - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- 14 1 29 Tom G Open Source Software 1 - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- 14 1 29 Tom G Open Source Software - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- How is open source software like great wine? - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Free and open source software key for multicore hardware [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Blender Tutorial - 2D Animation (1) Bone Rigging, Shape Character Planes by VscorpianC - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Obama Bit Coin Conspiracy? - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- The Pentagon's Mad Science Is Going Open Source [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- The open source countdown has begun [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- BLOG: Why open source will rule the data centre [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- OpenDaylight Summit: SDN Needs Open Source and Open Standards [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- 7 reasons not to use open source software [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- The Open Source Initiative | Open Source Initiative [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Find Open Source Alternatives to commercial software ... [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Has Linux Conquered the Cloud? [Last Updated On: February 13th, 2014] [Originally Added On: February 13th, 2014]
- The New eRacks/NAS36 Rackmount Storage Server Achieves Price/Density Breakthrough: 100TB Storage in Only 4U for Under ... [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- 2012 Red Hat Summit Build a PaaS using Open Source Software ~ Redhat Linux Video YouTube - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Intel launches big data software suite - free to a good home [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Three college students build a health provider search site in six weeks [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
- The Asgard Show Episode 6 - Video [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
- Open source startups: Don't try to be Red Hat [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- Open Source in the Enterprise: To Pay or Not to Pay? [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- DEF CON 12 - Wendy Seltzer and Seth Schoen, Hacking the Spectrum - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- dev@Pulse Speaker Predictions - Jonathan Bryce - Video [Last Updated On: February 19th, 2014] [Originally Added On: February 19th, 2014]
- Facebook Boosts Its Open Source Mojo With New Project [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
- Raising Linux to Grow Open Source [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
- Apple Veteran Named PayPal's First Head of Open Source Software [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
- Open Source Software | 46 of 62 | MconneX - Video [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
- News Flash from Redmond: FOSS Causes Dissatisfaction! [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
- FOSS4G with Eric Brelsford - Video [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
- NYLUG Presents: Mark Tolliver on Palamida. Application Security for Open Source Software (6/25/08) - Video [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
- DARPA Open Catalog Makes Agency-Sponsored Software and Publications Available to All [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
- Munich opts for open source groupware from Kolab [Last Updated On: February 26th, 2014] [Originally Added On: February 26th, 2014]
- Modelling Hands Step by Step Using Free Open Source Software Seamless3d 3 - Video [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
- Accelerating the Network with Open Source Software, Erik Ekudden | OpenDaylight Summit 2014 - Video [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
- The Commercial Case for Open Source Software [Last Updated On: March 1st, 2014] [Originally Added On: March 1st, 2014]
- Beginners guide to contributing to open source software - Video [Last Updated On: March 3rd, 2014] [Originally Added On: March 3rd, 2014]
- Free Open Source Software [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
- Open Source Software - Video [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
- Open Source Software EDTC5325 - Video [Last Updated On: March 6th, 2014] [Originally Added On: March 6th, 2014]
- Broadcom Announces Open Switch Pipeline Specification Targeting Growing SDN Application Ecosystem [Last Updated On: March 7th, 2014] [Originally Added On: March 7th, 2014]
- RIT launches nation’s first minor in free and open source software and free culture [Last Updated On: March 7th, 2014] [Originally Added On: March 7th, 2014]
- Forum created to push optical SDNs [Last Updated On: March 10th, 2014] [Originally Added On: March 10th, 2014]
- Google embraces open source for 10th year of Summer of Code [Last Updated On: March 10th, 2014] [Originally Added On: March 10th, 2014]
- Is Open Source Software The Answer to Oregon's IT Problems? [Last Updated On: March 11th, 2014] [Originally Added On: March 11th, 2014]
- Spenden Ticketautomat mit Open Source Software auf der CeBIT 2014, CMS Garden - Video [Last Updated On: March 14th, 2014] [Originally Added On: March 14th, 2014]
- 2012 Red Hat Summit Build a PaaS using Open Source Software - Video [Last Updated On: March 14th, 2014] [Originally Added On: March 14th, 2014]
- CyanogenMod receiving Linux New Media Award 2014 (Best Open Source Software App for Android) - Video [Last Updated On: March 15th, 2014] [Originally Added On: March 15th, 2014]
- Real tech 25 Finding open source software you can trust - Video [Last Updated On: March 15th, 2014] [Originally Added On: March 15th, 2014]
- Tor is building an anonymous instant messenger [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
- MailPile is now in Alpha [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
- $2,400 “Introduction to Linux” course will be free and online this summer [Last Updated On: April 10th, 2017] [Originally Added On: March 16th, 2014]
- Linaro announces MediaTek as member [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
- TN state departments asked to switch over to open source software [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
- Open source project builds mobile networks without big carriers [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
- Your U.S. government uses open source software, and loves it [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
- Linux Goes to the Head of the Class [Last Updated On: March 22nd, 2014] [Originally Added On: March 22nd, 2014]
- What is open source? - Definition from WhatIs.com [Last Updated On: March 23rd, 2014] [Originally Added On: March 23rd, 2014]