Open source security has taken on new importance in the post-Log4Shell era. While security practices are starting to change, Emily Fox, senior principal software engineer at Red Hat and chair of the Technical Oversight Committee of the Cloud Native Computing Foundation, said systemic change is still needed.
This includes modernizing traditional open source projects and libraries, according to Fox.
“To date, I have not found a good practice by existing foundations or bodies to bridge that gap, to provide that security expertise and to kind of be the partner in bringing some of those more heritage projects within the ecosystem to modern security standards and expectations,” she told TechTarget Editorial’s Beth Pariseau in Episode 8 of IT Ops Query: Tech’s Tragedy of the Commons.
Part of the challenge has to do with a gap in cybersecurity skills needed to integrate existing materials, resources and guidance into projects. But it also has to do with the lack of a deep bench for traditional projects, where individuals could be identified and taught programming language skills to ensure next-generation maintenance, Fox said.
Plus, open source project communication tends to move in one direction: from developer to maintainer or from pull requests to maintainer, Fox said. More bi-directional communication could create better experiences with open source software, including better security. She suggested that maintainers consider identifying and using the skills of people that open pull requests and that enterprise users must also understand their responsibility to give back to the open source community by sharing their experiences.
“While open source may be free, it’s free like a puppy. And that means not only do you have to do the work for integration into your environment, you are also expected to contribute back to the projects your lessons and learnings from that integration to assist others,” Fox said.
Stronger open source security requires modernizing not just traditional projects but practices as well. Security’s relationship with open source initially had less to do with reacting to specific situations and more to do with establishing trust in the community overall, she said. That changed with the onset of cyberattacks such as SolarWinds, but the actual practices for vulnerability management and technology controls didn’t. That means security operates today much the same as it did 50 years ago despite significant technology changes. Security professionals are reevaluating, which will likely lead to “a new wave of innovation,” Fox said.
Nicole Laskowski is a senior news director for TechTarget Editorial. She drives coverage for news and trends around enterprise applications, application development and storage.
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Object relational mapping and raw SQL are two different ways to interact with relational databases. Learn when to use each of the…
ORMs are a popular method for connecting to databases from Java. Consider the tradeoffs of these ORM tools to decide which tool …
Frameworks such as the software testing pyramid help developers implement Agile core values. Learn how the testing pyramid helps …
Managing microservices without API gateways might be uncommon, but not unheard of. Consider the benefits, downsides and available…
The switch from microservices to monolith could save costs and improve performance. Explore key considerations and questions to …
The RESTful API Modeling Language, or RAML, can be a powerful tool for developers looking to create an efficient, standardized …
AWS, Google, IBM and Microsoft offer machine learning certifications that can further your career. Learn what to expect from each…
Is it better to be ‘first’ or ‘smart’ in cloud? Compare the two strategies to determine which will help achieve your …
Consistency and standardization are critical to a successful AWS tagging strategy. Consider these best practices to organize and …
Many organizations struggle to manage their vast collection of AWS accounts, but Control Tower can help. The service automates …
There are several important variables within the Amazon EKS pricing model. Dig into the numbers to ensure you deploy the service …
AWS users face a choice when deploying Kubernetes: run it themselves on EC2 or let Amazon do the heavy lifting with EKS. See …
Dive deeper into Java pattern matching techniques with these examples that range from nested records to type inference, variables…
Ready to use distributed ledger technologies for smart contracts or other transactions? Know what risks to avoid and overcome to …
Pattern matching in Java helps developers better describe data structures and avoid runtime errors, while making code more …
As climate change becomes a more pressing issue, these sustainability best practices can help your data center go greener, which …
StorMagic looks to court customers with smaller data centers for SMBs and the edge with SvHCI, a new VMware alternative with a …
A main focus of the Dell Technologies World 2024 conference was AI and how it impacts infrastructure environments. Dell …
All Rights Reserved,
Copyright 2016 – 2024, TechTarget
Privacy Policy
Cookie Preferences
Cookie Preferences
Do Not Sell or Share My Personal Information