Linux Foundation: Security Challenges Threaten ‘Golden Age’ Of Open Source

The discovery of several high profile zero-day vulnerabilities in popular open source technologies last year served not only to show the importance of open source to the Internet and IT world, but also how woefully under-resourced so many projects were

The Heartbleed bug, which impacted OpenSSL, Poodle, a vulnerability in SSL, and the Shellshock vulnerability in Bash all affected tech firms of all sizes and resulted in the creation of the Core infrastructure Initiative (CII), a Linux-Foundation led initiative to improve open source security.

CII’s financial backers include Adobe, Bloomberg, HP, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco – a level of support which Linux Foundation executive director Jim Zemlin says is evidence we’re living in a “golden age” of open source.

Golden age of open source

“Everyone is talking about how to leverage open source. It’s simply a better, faster, cheaper way to innovative,” he told IP Expo in London adding that companies like Cloudera, Hortonworks, RedHat and Docker were all creating “incredible wealth and innovation.”

Indeed, Microsoft is using it for software defined networking (SDN) in its Azure cloud platform, Apple thinks the peer review process makes open better and “80 percent” of the technology in a Tesla car is open source.

“Almost the entirety of the internet is entirely reliant on open source software,” Zemlin continued. “We’ve reached a golden age of open source. Virtually every technology and product and service is created using open source.”

Security fears

But he said open source was not immune to the security threat faced by the entire computing industry and said Heartbleed, and others, served as a wakeup call for the IT industry. It is believed 200,000 devices are still vulnerable.

“Heartbleed literally broke the security of the Internet,” he explained. “Over a long period of time, whether we knew it or not, became dependent on open source for the security and Integrity of the internet.”

Zemlin said many people had asked him why had the peer review process not highlighted these vulnerabilities, but the answer was blindingly obvious. Many of these projects are maintained by as few as one person, some part time, and with very little financial assistance.

For example the NTPd protocol that keeps time on the Internet is worked by one part-time volunteer. Before Heartbleed, OpenSSL received less than $2,000 a year in donations, while OpenSSH and Bash had similarly meagre support.

“It’s completely out of proportion to the attention these projects play in society and the Internet,” said Zemlin. “OpenSSL for a long period of time was essentially maintained by two guys named Steve. Think about that.”

Heartbleed reaction

The scale of Heartbleed opened up many major technology firms eyes to the fact they needed to pay more attention to open source and couldn’t just rely on the community being self-sufficient. The creation of the CII was testament to that and is a cause the Linux Foundation is more than happy to champion.

The great thing about open source, according to Zemlin, is the organic innovation and peer review processes, but this also makes it impossible to issue top-down instructions. Rather than ‘major surgery’, he likens the approach to a personal trainer as best practices and more resources are devoted, changing the culture over time. Secure code, he says, is difficult to write and maintain, and there is no desire to mess up open source successes.

“Personal trainers need to teach people how to write more secure code and test it in a meaningful way,” he explained. “[The CII] is meant to go fix the potholes of the information highway. We are essentially taking a pre-emptive approach to cyber security.

Developers are artists

“We want to find the projects on the Internet that are broken and fix them. We have raised a multi-million fund to provide grants to projects to help them out. Examples include fellowships for the OpenSSL community to help them work full time.”

The CII also offers testing tools and has also launched accreditation programmes for projects that adhere to certain criteria.

“Open source projects their maintainers and contributors, will be able to look at the criteria,” said Zemlin. “Some are machine readable so we can audit and other will be best practices.

“That will motivate open source developers because the thing that motivates developers the most is people using their code. They’re like poet, musicians – they get gratification for that.”

Other initiatives include education programmes, hackathons, scholarships and access to research and whitepapers. Shared tools for testing and auditing will also be made available and the CII is even paying testers to look at projects for vulnerabilities– including OpenSSL’s 500,000 lines of code.

A better internet

“If we do all these things well, that’s how we’re going to produce more secure software and reduce the time you’re going to spend remediating [vulnerabilities],” said Zemlin, who noted the number of closed open source bugs had increased dramatically since the formation of the CII.

“I’m not here to sell you any product or give you any quick fix, but the Linux Foundation and biggest technology firms in the world believe there is a long term path to creating secure code.

“We’re not talking about some new technology product or service, we’re talking about your privacy, your security. We believe creating a more secure, more robust Internet is good for all of us.”

What do you know about Linux? Take our quiz!