Cloud Source Blog
In This HP Cloud Source Blog, HP Expert, Christian Verstraete will examine cloud computing challenges, discuss practical approaches to cloud computing and suggest realistic solutions.

Open Source does not stop you from doing your homework

open-source.jpgOver the last couple weeks, the word Heartbleed has been on everybody’s lips. And it has quickly become an argument against Open Source. You see, the Open Source community is unable to write software that is security proof. I’m not a security specialist, so won’t drive into the intricacies of how and why this happened, but I’d like to share with you some of my thoughts about using Open Source software, and what you should do if you start using such software.

 

First, let me remind you that security loopholes are not an exclusivity of Open Source software. Some very well-known software providers often release patches for their software. Some are regulars. Ever heard the “patch Tuesday” phrase? I actually rather feel the Open Source community does not have a lot of security incidents that are reported.

 

The difference between the development process in the Open Source and the commercial world boils down to the fact the developers are not all part of the same company. They are a community of people that put their experience, their skills and their knowledge together to achieve a common objective, the development of a piece of code. Ultimately the same precautions apply.

 

So, what should you do if you want to use a specific Open Source software? Fundamentally two things.

 

Understand the governance process

One of the big advantages of most Open Source communities is that they are quite transparent. Everything they do is documented. OK, it’s not always that easy to find and/or understand what they mean, but you can get the information. Take the time to find the information, go through it and try understanding what it mean and if you are comfortable with what they have put in place.

 

There are a number of elements to look at:

  • Which organizations support the community? Are they funding it and if the answer is yes, how? Look for a foundation or another not for profit structure and understand who is behind it. Let’s take the example of the OpenSSL software foundation. It used to run on a shoestring budget and required heartbleed to get proper funding. At the other end of the spectrum, look at the structure set-up by the OpenStack Foundation.
  • Understand how functionality is decided. How does the community agree on what additional functionality is developed, who does it and how is it integrated in the overall activities? Is there a technical committee that looks at the implications of decisions to the software architecture, it’s testing and releases. To stick with OpenStack for a minute, the technical committee members define and steward the technical direction of OpenStack software, including cross-program issues. The committee of 13 is fully elected by the project’s Active Technical Contributors.
  • Understand how contributors can contribute to the process. Let me take OpenStack as an example again. A well-documented page describes how you can contribute. If you have coded a functionality, you first need to go through peer review. Only when that is done, your contribution is added for testing. Thorough testing takes place and only if you pass that testing is your contribution included in the software. That may not resolve everything, but actually already guarantees many issues are addressed. Also look at the other roles that the OpenStack team employs.

Ultimately, get to know who contributes to the development of the open source software you want to use. Make sure you feel confident they do a professional job. Be comfortable with what you read, as there is nobody you can turn to if things get ugly.

 

Perform your own security tests

Now you’re ready to use the software you have been looking at. Before you do that, run your own tests. In particular, you may want to scan the software for potential security holes. Perform static and dynamic application security testing, source and object code.

 

This is a big difference compared to what you do with commercial software. You have nobody to turn to, so make sure you do your homework before you take things in production.

You may also want to think about contributing to the Open Source community that develops the software you’re interested in so you get in contact with the other contributors, understanding better how the software is constructed and where you may have to pay attention.

 

Don’t forget to look at the licensing

There are many different flavors of Open Source software licenses and the one under which the software you look for is released may have implications on what you can do with it. You can find the list of the most popular open source licensing agreements here. They are not all equal. Let me give you a simple example:

  • GPL aims to protect freedom by forcing freedom upon anyone else who uses GPL. If you write GPL code, all the derivatives will be GPL and you'll always be able to reap the benefits of others' work based on your work.
  • BSD folks see it differently - freedom implies the freedom to allow others to take my code and do whatever they want. If I write BSD code, someone can derive and build something else - but this derivative work may not be shown to the world. The derivator will be the sole benefactor, they took other people's contributions but did not give anything back.

So make sure you understand what you are getting into when deciding to use Open Source code.

 

Conclusion

You pay for commercial software. Open Source software typically comes for free. So, it’s a winning proposition for many companies. However, do your homework, don’t just try to save money, because with Open Source software you are the sole responsible. Sure you can typically get support from the community, but you cannot turn to the provider for compensation in case of issues. So make sure you keep that in mind when taking your decision.

Labels: cloud| CloudSource
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author
Christian is responsible for building services focused on advising clients in their move to cloud, particularly from a business process and ...


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation