With Much of the Data Center Stack Open Source, Security is a Special Challenge
Without a vendor behind it, open source software takes a deliberate effort by IT to secure it.
March 20, 2018
For data center operators, open source software offers a number of advantages. It's free, the code can be examined and modified, and if it's a popular package then there may also be a large ecosystem of support forums, related tools, compatible software, and more.
Plus, according to the "many eyes" theory of security, there are so many people looking at the code -- such as security professionals at the world's biggest financial firms -- that any problems can be quickly found and fixed.
And did I mention that it's free?
No wonder much of the internet runs on open source software. Most websites are run on open source software, led by Apache and nginx, and the majority of enterprise servers run Linux.
Data centers also use Apache Mesos and HashCorp's Nomad, two open source data center operating systems.
Kubernetes and Docker are popular open source platforms for deploying containers on clusters of servers, providing automation, scaling, and operation of applications, Anthony James, CMO at TrapX, a cybersecurity company, said. Popular open source database servers include MySQL and MariaDB, among others.
Even commercial software is not immune to the open source trend. According to Synopsys-owned Black Duck Software, which tracks open source code, open source components are now present in 96 percent of commercial applications.
Open source components make development faster and cheaper for both commercial software shops and in-house teams.
"All of these things lead to a stack of open source," said Tim Mackey, senior technical evangelist for Black Duck by Synopsys.
But there's a downside to the spread of open source code, and that downside is patch management.
"It's impressive the number of people who come to me and say, so how do I actually do patching?" said Mackey. "They still haven't figured it out yet."
Why Patching Open Source Software is Hard
When commercial software is updated, the company behind it can send out an update to its customers. It knows where the customers are, because there's a financial incentive to keep track of them -- software vendors want to sell them more stuff.
That's not the case for open source projects. Anyone can download open source software without having to give up any contact or payment information. If there's an update or security patch, it's up to the user to keep an eye out for it, download it, and install it
"There is no guaranteed support for vulnerability remediation, and when vulnerabilities go uncorrected, the critical nature of the risk increases," said Mitch Kavalsky, director for security governance and risk at Sungard Availability Services.
That's why Atlantic.net, a hosting company with several data centers in the US and Europe, stays away from open source software for mission critical functionality.
"Mission critical systems need to have a known path for maintenance should a bug occur, whereas with open source you might be waiting for the next release," said Marty Puranik, CEO at Atlantic.net. "Over time, there is trend towards open source software, but we're not there yet."
But staying away from open source isn't always easy.
Most companies don't even know about all the open source software, tools, and components that are in their environments.
When Apache released a security patch for its open source Struts web application framework last year, Equifax searched its environment twice for the affected code. Even though Equifax was using Struts, it failed to find and patch it in time, and the vulnerability led to infamous breach of more than 135 million personal records.
What's even worse is that when the open source code is hidden away inside commercial software packages, the companies using them might not even know that the vulnerabilities are there.
According to Black Duck, 67 percent of commercial applications are using components with known vulnerabilities.
Developers don't always check whether the open source components they use are the latest versions, and even when they do, once they add them to the code, they rarely go back and check whether an update has been released -- they've moved on to other projects or have simply forgotten about all the components they used.
Meanwhile, not all open source projects pay enough attention to security. The larger ones may have teams in place to track and fix vulnerabilities and put out patches. But smaller projects may not have enough people on their teams.
"In my experience, most projects using open source software struggle to stay up to date, fall behind on their versions, and run the massive risk of being exploited via a known issue," said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
Plus, hackers can see the code itself and try to figure out ways to abuse it.
They can even submit patches to open source projects with secret back doors that they themselves can exploit, said Ofri Ziv, VP of research at GuardiCore. If an open source project has a small team of programmers, they might not spot the problem.
"For these reasons, free or open source solutions pose a greater risk," said Konstantin Malkov, CTO at 5nine Software, a cybersecurity vendor based in West Palm Beach, Florida.
So what's the solution?
The first step is to get a handle on the open source software used in the data center.
Too often, IT managers and developers simply go online and download the tools and components they need without any oversight. Since it's free, there's no purchasing process involved, so oversight is minimal.
In particular, data centers need to be careful about using open source software from small projects without a strong community to maintain it.
Then, data centers need a process for tracking the vulnerabilities discovered in the open source software they are using and the available patches.
Finally, they need to act.
"Responsive patching practices should be put into place to deal with issues as soon as possible," said Kunal Anand, CTO and co-founder at Prevoty, a Los Angeles-based cybersecurity company.
After all, the bad guys aren't going to be polite and wait.
About the Author
You May Also Like