AS MORE AND MORE CUSTOMERS move towards open source solutions in the enterprise, the question arises as to who is keeping the code pool safe and risk free.
The beauty of an open source environment is the freedom and openness that it brings, but by definition, this represents a Wild West frontier with no-one there to act as sheriff.
Enter Black Duck Software, set up in 2002 not as an anti-malware tool or a security outfit, but as a 'curator' of the open source infrastructure. As well as providing a gigantic database of code, based on safety, reliability and reputation of contributor, the company also provides consulting services to some of the largest IT companies in the world, actually helping to create open source policy.
The INQUIRER caught up with its new head of EMEA, Damian Saunders (left), for a 'state of the union' discussion on the nature of open source and how prevention, not cure, is the key to safe IT infrastructure.
"That's the area where we've seen the biggest knowledge gap in security," he said. "What we've found is that companies moving towards a dev-ops model, and let's face it that's just about everybody, are seeing this as an opportunity to bring things like security very early into the development cycle."
It's not a new idea, but in a software-defined future it becomes more important than ever.
"This is what some years ago people talked about as 'secure-by-design' in hardware, but this time it has software in its sights. When you don't take this approach, it's a bit like when you build a house, realise there is something wrong with the foundations and have to take half the house down to fix it. It's better if you constantly test the house as you build it to make sure you don't find anything," he said.
This rings particularly true at a time when the infrastructure of the hardware vs software paradigm is changing with the advent of the Internet of Things (IoT) and a shift towards software-defined networking, as in many cases we are still building the foundations. Or, in the case of the IoT, arguing over the blueprints.
Of course, the classic example of this was Heartbleed, easily the biggest and most famous code vulnerability in recent years, although far from being alone. Saunders pointed out that it wasn't just the code that was at fault. The operational realities of this type of protocol can be just as responsible for failings as the code itself.
"Heartbleed was the poster child of awareness of security around open source, but it also revealed to us what we refer to as operational risk. Security vulnerabilities are evident in open source, the same way they are in commercial software, maybe even more so because of the sheer volume of code out there.
"But when we started to dig into the cause, the truth was operational - OpenSSL was supported by two guys named Steve (!) and yet it was incorporated into some of the biggest e-commerce platforms, content delivery systems, websites, mission-critical assets," explained Saunders.
"The reality is that we all trusted OpenSSL without looking after it. What no-one had noticed is that the supportability wasn't there - these two guys weren't getting paid in the same way as commercial developers, they were trying to keep the contributions going and the peer review levels high. But at the end of the day it was still an under-resourced, under-funded project. Which brings me back to my point that, when it comes to cyber security, it's about prevention, not cure."
This, of course, returns us to the Black Duck mantra. "If you work on that basis, you are more likely to not build in vulnerabilities in the first place, and you are more likely to be consuming third-party sources from libraries that have high levels of attribution and peer review," said Saunders.
He doesn't live in an ideal world and accepts that, no matter how much you try, there'll always be vulnerabilities to uncover. It's what you do about them that matters, and how you prepare.
"You can't help that there will be vulnerabilities in your code sometimes. What we had with Heartbleed was a number of companies which had code that was in production and live to web, and what followed was this rather undignified hair-on-fire scramble for remediation," he said.
The INQUIRER takes a moment to question whether the arrival of the IoT, with the prospect of hundreds of thousands of sensors on a corporate network, is making the integrity of the code even harder to manage. What we get is possibly one of the best responses anyone has given us this year.
"I would call bluff on the IoT. It's not really an IoT, it's just the growing complexity of stuff. There's no common connectivity there for it to be an IoT, but that doesn't mean it's not a problem," he said.
Saunders goes on to illustrate his "growing complexity of stuff" with a parable about an old plane and a new car. "There's an American jet fighter, the F22 Raptor, that took to the skies in 1995. It's already a 20-year-old design. The avionics package in that had 1.7 million lines of code," he explained.
"Earlier this year Mercedes introduced the 32-15 C Series. It's a four-door family car, the sort of thing you'd see on the street all the time probably. Twenty years on from the Raptor, that car has one hundred million lines of code. If the code from that Raptor was in the Mercedes, you couldn't even reverse off the drive."
Which brings Saunders to his point: code is getting more complicated. If it isn't being curated, it's going to fall over eventually.
"That base of growth is not going to decrease, so the challenge this gives us, which is where I feel there is a knowledge gap, is how this interrupts the supply chain. When you have code in your fridge, this high-quality code need is imperative and immediate. One node in your corporate network is disruptive, but it's within your power to fix," he said.
"If you distribute that code in an embedded system, like the braking system of a truck, or the circuit board in a fridge, that kind of recall becomes unthinkable."
One could be forgiven for thinking that in some way Saunders is against open source software. But quite the reverse. What he and Black Duck demonstrate is a love of the ecosystem and a determination to make sure it lives up to its full potential. µ
That's just, er, £2,400 more than AMD's Threadripper 2990X
While shepherds watch their electric sheep