This story was originally published on Sept. 19, 2018, and is brought to you today as part of our Best of ECT News series.
Linux and the open source business model are far different today than many of the early developers might have hoped. Neither can claim a rags-to-riches story. Rather, their growth cycles have been a series of hit-or-miss milestones.
The Linux desktop has yet to find a home on the majority of consumer and enterprise computers. However, Linux-powered technology has long ruled the Internet and conquered the cloud and Internet of Things deployments. Both Linux and free open source licensing have dominated in other ways.
Microsoft Windows 10 has experienced similar deployment struggles as proprietary developers have searched for better solutions to support consumers and enterprise users.
Meanwhile, Linux is the more rigorous operating system, but it has been beset by a growing list of open source code vulnerabilities and compatibility issues.
The Windows phone has come and gone. Apple’s iPhone has thrived in spite of stagnation and feature restrictions. Meanwhile, the Linux-based open source Android phone platform is a worldwide leader.
Innovation continues to drive demand for Chromebooks in homes, schools and offices. The Linux kernel-driven Chrome OS, with its browser-based environment, has made staggering inroads for simplicity of use and effective productivity.
Chromebooks now can run Android apps. Soon the ability to run Linux programs will further feed open source development and usability, both for personal and enterprise adoption.
One of the most successful aspects of non-proprietary software trends is the wildfire growth of container technology in the cloud, driven by Linux and open source. Those advancements have pushed Microsoft into bringing Linux elements into the Windows OS and containers into its Azure cloud environment.
“Open source is headed toward faster and faster rates of change, where the automated tests and tooling wrapped around the delivery pipeline are almost as important as the resulting shipped artifacts,” said Abraham Ingersoll, vice president of sales and solutions engineering at
“The highest velocity projects will naturally win market share, and those with the best feedback loops are steadily gaining speed on the laggards,” he told LinuxInsider.
Progress in the Works
To succeed with the challenges of open source business models, enterprises have to devise a viable way to monetize community development of reusable code. Those who succeed also have to master the formula for growing a free computing platform or its must-have applications into a profitable venture.
Based on an interesting GitLab report, 2018 is the year for open source and DevOps, remarked Kyle Bittner, business development manager at
That forecast may be true eventually, as long as open source can dispel the security fears, he told LinuxInsider.
“With open source code fundamental to machine learning and artificial intelligence frameworks, there is a challenge ahead to convince the more traditional IT shops in automotive and oil and gas, for example, that this is not a problem,” Bittner pointed out.
The future of the open source model may be vested in the ability to curb worsening security flaws in bloated coding. That is a big “if,” given how security risks have grown as Linux-based deployments evolved from isolated systems to large multitenancy environments.
LinuxInsider asked several open source innovators to share their views on where the open source model is headed, and to recommend the best practices developers should use to leverage different OS deployment models.
Innovative work and developer advances changed the confidence level for Oracle engineers working with hardware where containers are involved, according to Wim Coekaerts, senior vice president of operating systems and virtualization engineering at Oracle. Security of a container is critical to its reliability.
“Security should be part of how you do your application rollout and not something you consider afterward. You really need to integrate security as part of your design up front,” he told LinuxInsider.
Several procedures in packaging containers require security considerations. That security assessment starts when you package something. In building a container, you must consider the source of those files that you are packaging, Coekaerts said.
Security continues with how your image is created. For instance, do you have code scanners? Do you have best practices around the ports you are opening? When you download from third-party websites, are those images signed so you can be sure of what you are getting?
“It is common today with
Docker Hub to have access to a million different images. All of this is cool. But when you download something, all that you have is a black box,” said Coekaerts. “If that image that you run contains ‘phone home’ type stuff, you just do not know unless you dig into it.”
Ensuring that containers are built securely is the inbound side of the technology equation. The outbound part involves running the application. The current model is to run containers in a cloud provider world inside a virtual machine to ensure that you are protected, noted Coekaerts.
“While that’s great, it is a major change in direction from when we started using containers. It was a vehicle for getting away from a VM,” he said. “Now the issue has shifted to concerns about not wanting the VM overhead. So what do we do today? We run everything inside a VM. That is an interesting turn of events.”
A related issue focuses on running containers natively because there is not enough isolation between processes. So now what?
The new response is to run containers in a VM to protect them. Security is not compromised, thanks to lots of patches in Linux and the hypervisor. That ensures all the issues with the cache and side channels are patched, Coekearts said.
However, it leads to new concerns among Oracle’s developers about how they can ramp up performance and keep up that level of isolation, he added.
Backward in Time
Some view today’s container technology as the first step in creating a subset of traditional Linux. Coekaerts gives that view some credence.
“Linux the kernel is Linux the kernel. What is an operating system today? If you look at a Linux distribution, that certainly is morphing a little bit,” he replied.
What is running an operating system today? Part of the model going forward, Coekaerts continued, is that instead of installing an OS and installing applications on top, you basically pull in a Docker-like structure.
“The nice thing with that model is you can run different versions on the same machine without having to worry about library conflicts and such,” he said.
Today’s container operations resemble the old mainframe model. On the mainframe, everything was a VM. Every application you started had its own VM.
“We are actually going backward in time, but at a much lighter weight model. It is a similar concept,” Coekearts noted.
Container technology is evolving quickly.
“Security is a central focus. As issues surface, developers are dealing with them quickly,” Coekearts said, and the security focus applies to other aspects of the Linux OS too.
“All the Linux developers have been working on these issues,” he noted. “There has been a great communication channel before the disclosure date to make sure that everyone has had time to patch their version or the kernel, and making sure that everyone shares code,” he said. “Is the process perfect? No. But everyone works together.”
Vulnerabilities in open source code have been the cause of many recent major security breaches, said Dean Weber, CTO of
Open source components
are present in 96 percent of commercial applications, based on a report Black Duck released last year.
The average application has 147 different open source components — 67 percent of which are used components with known vulnerabilities, according to the report.
“Using vulnerable, open source code in embedded OT (operational technology), IoT (Internet of Things) and ICS (industrial control system) environments is a bad idea for many reasons,” Weber told LinuxInsider.
He cited several examples:
- The code is not reliable within those devices.
- Code vulnerabilities easily can be exploited. In OT environments, you don’t always know where the code is in use or if it is up to date.
- Systems cannot always be patched in the middle of production cycles.
“As the use of insecure open source code continues to grow in OT, IoT and ICS environments, we may see substations going down on the same day, major cities losing power, and sewers backing up into water systems, contaminating our drinking water,” Weber warned.
Who’s Responsible for Security?
The brutal truth for companies using open source libraries and frameworks is that open source is awesome, generally high-quality, and absolutely the best method for accelerating digital transformation, maintained Jeff Williams, CTO of
However, open source comes with a big *but,* he added.
“You are trusting your entire business to code written by people you don’t know for a purpose different than yours, and who may be hostile to you,” Williams told Linuxinsider.
Another downside to open source is that hackers have figured out that it is an easy attack vector. Dozens of new vulnerabilities in open source components are released every week, he noted.
Every business option comes with a bottom line. For open source, the user is responsible for the security of all the open source used.
“It is not a free lunch when you adopt it. You are also taking on the responsibility to think about security, keep it up to date, and establish other protections when necessary,” Williams said.
Developers need an efficient guideline to leverage different deployment models. Software complexity makes it almost impossible for organizations to deliver secure systems. So it is about covering the bases, according to Exit Technologies’ Bittner.
Fundamental practices, such as creating an inventory of open source components, can help devs match known vulnerabilities with installed software. That reduces the threat risk, he said.
“Of course, there is a lot of pressure on dev teams to build more software more quickly, and that has led to increased automation and the rise of DevOps,” Bittner acknowledged. “Businesses have to ensure they don’t cut corners on testing.”
Developers should follow the Unix philosophy of minimalist, modular deployment models, suggested Gravitational’s Ingersoll. The Unix approach involves progressive layering of small tools to form end-to-end continuous integration pipelines. That produces code running in a real target environment without manual intervention.
Another solution for developers is an approach that can standardize with a common build for their specific use that considers third-party dependencies, security and licenses, suggested Bart Copeland, CEO of
ActiveState. Also, best practices for OS deployment models need to consider dependency management and environment configuration.
“This will reduce problems when integrating code from different departments, decrease friction, increase speed, and reduce attack surface area. It will eliminate painful retrofitting open source languages for dependency management, security, licenses and more,” he told LinuxInsider.
Where Is Open Source Going?
Open source has been becoming more and more enterprise led. That has been accompanied by an increased rise in distributed applications composed from container-based services, such as Kubernetes, according to Copeland.
Application security is at odds with the goals of development: speed, agility and leveraging open source. These two paths need to converge in order to facilitate development and enterprise innovation.
“Open source has won. It is the way everyone — including the U.S. government — now builds applications. Unfortunately, open source remains chronically underfunded,” said Copeland.
That will lead to open source becoming more and more enterprise-led. Enterprises will donate their employee time to creating and maintaining open source.
Open source will continue to dominate the cloud and most server estates, predicted Howard Green, vice president of marketing for
Azul Systems. That influence starts with the Linux OS and extends through much of the data management, monitoring and development stack in enterprises of all sizes.
It is inevitable that open source will continue to grow, said Contrast Security’s Williams. It is inextricably bound with modern software.
“Every website, every API, every desktop application, every mobile app, and every other kind of software almost invariably includes a large amount of open source libraries and frameworks,” he observed. “It is simply unavoidable and would be fiscally imprudent to try to develop all that code yourself.”