“Open source won. It won because it’s used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of?”
~John Bressers, Red Hat Cybersecurity Strategist
The statement “open source software is better than proprietary software” may just be null now. Just ask John Bressers, the cybersecurity strategist for Red Hat. In an interview with InfoWorld Bressers stated, “The concept of proprietary software doesn’t really exist anymore because virtually every organization has open source inside of the products they’re building.”
Open source is virtually everywhere. It’s omnipresence is no longer questioned. The question that developers need to ask themselves now is, what next?
A Kink in the Chain
According to Bressers, the next thing that developers need to focus on is recognizing open source software as a part of the supply chain, and handling this part in the best possible way. Currently there remains an old mindset where developers can simply go out and find the open source components they need, pull them in and that’s that.
Aside from the fact that this completely ignores the communities on which open source projects are built, this can be very dangerous for end products. With low quality, unmonitored open source code inside them, there are bound to be security issues down the line.
This is why, according to Bressers it is important for developers to look at software development as more of a supply chain. In the supply chain you have vendors providing you with the parts you need to finish your product. If you get low-quality parts, you’re most likely to get a low-quality product. Likewise, in software development if you get low-quality open source code or software, you’re very likely to end up with a low-quality product.
The Next Big Step
Following the supply chain format it becomes clear that there are certain measures that need to be in place to keep developers from encountering the same problem. Essentially Bresser notes, you should have a vetting process to make sure that any software you use is top-notch, updated and won’t lead to problems in the future. This vetting could include automated and manual source code scanning, and using tools and systems that will analyze the things you put in and build, and how you build them.
Bressers also suggests either of the following:
Have a team dedicated to understanding where your open source code comes from, ensuring its quality, and keeping it updated and working as it should. This team will have to be involved in the open source software community.
- Work with a vendor that can be your representative in these matters, do all these things for you and will make sure you understand any changes and their implications. You would still have to get involved with the community at some level.
It’s crucial that developers learn to participate in open source communities and not just take what they need from them. It’s a stone that may seem weighty at first, but actually hits two very important birds: it ensures the security of the software they build, and keeps open source software communities alive and well-supported.
[Category: Open Source]