Vulnerabilities in the life cycle of open-source software development can start from tiny crumbs but grow into substantial issues.

Joao-Pierre S. Ruth, Senior Editor

October 15, 2021

4 Min Read
Nipitpon Singad / EyeEm via Alamy

This week’s KubeCon + CloudNativeCon North America in-person and virtual conference put security for open-source development back in the spotlight while also talking up cloud native’s rapid rise.

Pryanka Sharma, general manager of the Cloud Native Computing Foundation (CNCF), the event host; Jim Zemlin, executive director of the Linux Foundation; and Bryan Behlendorf, general manager of the Open Source Security Foundation (OpenSSF), spoke to analysts and press about the trajectory and scale of cloud native adoption. They also presented ways their teams aim to improve the security dilemmas tied to open-source development in this space.

Sharma said the CNCF, a branch of the Linux Foundation, includes some 114 projects, with more than 138,000 individual contributors from more than 86 countries. The growth of CNCF is naturally tied to the increased appetite for cloud native development and deployment among organizations. “Things are moving really fast for our ecosystem,” she said. “Every company is becoming a technology company and they’re adopting the paradigm of cloud native.”

Open-source cloud native projects that are incubated, graduated, and approved by the CNCF, are ready for enterprise use in production at any scale, Sharma said. “We think they are going to help every company out there with their deployments and workloads.”

The pace of open-source development continues to accelerate, Zemlin said, finding its way into most technology products or services, “Open source now, 30 years into Linux, is the dominant form of how software gets developed,” he said. “It really makes up the bulk of any modern application.”

Open source has driven innovation and fostered efficiency in digital transformation, Zemlin said. It lets organizations focus on proprietary code that is their “secret sauce” for the most vital business needs, he said, while using open frameworks as building blocks for the rest.

Securing open-source code

Big challenges remain ahead for open innovation communities, Zemlin said, so the Linux Foundation raised an additional $10 million for the Open Source Security Foundation, which is rounding out its first year of operation. “We think cybersecurity is one of the most immediate challenges in open source that can be pretty systematically addressed; it will never be perfectly solved,” he said.

If there were more investment across the global software supply chain related to baseline security improvements for open source, Zemlin said there could be substantial outcomes for industry and society.

There are growing efforts to use open-source to solve big societal problems, Zemlin said, including at the onset of the pandemic trying to work on privacy-respecting ways to offer contract tracing and exposure notification systems. “Open source has made so much impact on industry and how we build software. We want to take it to the next level where we can use that to tackle things like climate change, like public health.”

Behlendorf said the new funding for OpenSSF could have an exponential effect in reducing risk. The rise of open-source code has brought a flood of components to modern software stacks, he said, as well as the potential for more headaches. “It’s not just big releases,” he said. “It’s all these tiny little MPM (multi-processing) modules. Things like left-pad.”

That was a reference to the temporary, yet widespread, disruption in 2016 of the internet when a frequently used framework called left-pad was unpublished, breaking JavaScript packages that many web pages relied on. With more iterations and distributions of commonly used open-source code, so comes the potential for interdependence on the same small pieces of code. “The proliferation of these things is becoming a monstrous problem for organizations,” Behlendorf said. “It means we’ve got to solve that problem for that 90% of software.”

A monstrous problem

In addition to reliance on such code, there can be other vulnerabilities in the life cycle of software development, he said, though developers might take this for granted. “We tend to assume we’re building on a set of known, good, developer tools,” Behlendorf said, “which has led to this becoming the new vector of attack for major compromises.” That includes malware and social engineering attacks. As a result, breakdowns in trust and process can affect large open-source projects all the way to the long tail of projects, he said.

The Open Source Security Foundation has been working to elevate developer education, Behlendorf said, on secure software development practices, use of tools to identify critical projects, and reinventing how digital identity works for developers. The goal is to bring about change comparable to how Let’s Encrypt brought TLS (Transport Layer Security) to many websites and helped make the majority of the web encrypted, he said.

Behlendorf said there is a need to upgrade such things as developers fumbling with PGP (Pretty Good Privacy) keys and ad hoc processes for signing releases. Those and other concerns led to OpenSSF’s formation and initiatives to change the security elements of open source. “There’s a whole lot of work to do in this space,” he said. “Some of it is about writing code; some of it’s simply about how do we pull together the existing resources in this community.”

Related Content:

Google Cloud Next Paints Digital Landscape Where Data and AI Meet

Cloud Native Driving Change in Enterprise and Analytics

Apple Discusses Going Cloud Native and the Growing Pains

About the Author(s)

Joao-Pierre S. Ruth

Senior Editor

Joao-Pierre S. Ruth covers tech policy, including ethics, privacy, legislation, and risk; fintech; code strategy; and cloud & edge computing for InformationWeek. He has been a journalist for more than 25 years, reporting on business and technology first in New Jersey, then covering the New York tech startup community, and later as a freelancer for such outlets as TheStreet, Investopedia, and Street Fight. Follow him on Twitter: @jpruth.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights