Thursday, June 10, 2021
By Fuel HQ
View part 1 of the Open Source series here.
Open source software has come a long way over the years and more cybersecurity professionals have started to adopt it into their programs. In part two of our Open Source series, Fuel Editorial Advisory Committee (EAC) members share their thoughts on the software's progression over time and how industry professionals can safely control it.
Our contributors and the sectors they serve:
Charles Buege (CB): Works for an industrial internet of things (IIoT) company that specializes in the telematics/fleet management field
Terry Newton (TN): Works for a small, rural public school (K-12)
Laura Penhallow (LP): Works for a proprietary trading firm in London
Why is open source considered good today but 10 years ago it wasn’t considered as acceptable?
LP: I think that sites like GitHub have stabilized and matured the open source community, and given it “street cred.” There has also been an uptick in commercial software companies collaborating with or outright purchasing open source projects: Dell with Red Hat, Microsoft and Ubuntu/WSL, etc.
Open source is now more commonplace than previously, which helps to quell some of the FUD (fear, uncertainty and doubt). I think there is a whole demographic of people who don’t know that their Nintendo Switch uses open source code, or that the Mars Helicopter leveraged open source packages. (I know one of the contributors!)
CB: I wouldn’t say that open source is considered “good” today so much as, for my company, it is considered essential. There is no way that we could have gotten our application to where it is today without many, many open source projects out there. React, Angular and GraphGL have been just a few open source projects that have allowed us to grow our application in leaps and bounds.
Ten years ago, from what I saw, there was no consistency, stability or security in open source projects. Back then they were small, simple projects where a few people worked on an idea that one person had and a couple others found interesting to play around with in their spare time. It was a hobby someone did on the weekend. If they didn’t feel like finishing it, that was fine.
Today, if someone deletes an open source project, it can take down significant parts of the entire internet. This happened a couple years ago when a single, 11-line npm package called “left-pad” was deleted. See this article for more details.
Open source, as is true for all things on the internet, has evolved into something else and is now an indispensable part of the development community.
TN: I would say there is a greater demand for open source software to be created partially due to the cost of brand name. However, if you are going to make open source software and people find it solves a problem, contributors want the project to keep growing and developing. When one thought of open source, it was a small personal project put up on the web for others to see but had no support. Now most that put up open source want people to contribute to get a better project.
What about the lack of control with open source software? How can you control this?
LP: This is a problem even with commercial software. The first couple of revisions in a branch are usually fraught with peril, whether it's open source or not. IT staff need to be vigilant in reading the release notes and also about local testing. Using configuration management tools like Salt, Puppet, Chef or Ansible can ensure that the version you want installed is consistently applied (and can also roll back changes if someone rogue upgraded a node).
CB: It used to be that open source meant a complete lack of control, there were no standards and anyone could do anything. Most of the better open source projects today follow good processes and use tools like GitHub to allow for more control over the release of their code.
Now, where anyone could do anything and potentially inject any malicious code into a project with almost zero traceability, the use of version control systems like GitHub prevent this. They also allow the open source project managers to hold those who make the code submissions accountable for their contributions. “You’re trying to inject something malicious into our project? Okay — you’re blocked from ever touching our project again.”
TN: On new or updated open source software, I load the software virtually to try it and make sure there is no problem with the software downloaded or updated. I make several copies in case there is an issue I find later with the software. I go to the main source for the open source software to download to make sure it is the latest stable version.
More to Explore
Check out these Fuel blog posts for further reading: