Open-source software started out as a grassroots movement and morphed in a short time into a mega-industry. Today, open-source code boosts modern business application delivery - allowing development and operation teams to be more agile, enjoy solutions that are custom-fit to their needs, and lower development and rollout costs.
There's no question that open-source solutions reside, quite literally, in the beating heart of nearly every enterprise. The question is, can we trust them?
Where Did open-source Come From?
The open-source revolution began, by most accounts, with the staggering success of Red Hat Linux. From the mid-1990's, and against the predictions of vendors and analysts alike, Red Hat took the open-source Linux platform and turned it into a multinational enterprise that grew from $6 million in yearly revenue in 1998 to over $2 billion in 2017.
Beyond proving that an open-source-based business model could be viable, Red Hat also proved that open-source solutions could effectively meet the needs of enterprise-class customers. This opened the door to the evolution of a whole new set of enterprise tools based on open-source platforms. Today, you'll find open-source platforms like MySQL, Linux, Hadoop, Kubernetes and more in almost every enterprise data center worldwide.
And the uptake of open-source solutions just keeps growing.
A recent report by Black Duck estimated that over 95% of applications contain open-source elements. Moreover, according to the report, company stakeholders consistently underestimated the amount of open-source software used in their organizations by 100%.
Where is open-source Hiding?
Today's agility and time to market demand that development teams integrate numerous prepackaged code components – the building blocks of applications – many, many of them open-source.
According to a recent survey by a major business analytics software vendor, 33% of software in use by organizations is pure open-source. And even the remaining 67% of enterprise solutions considered “proprietary” may incorporate open-source components, whose existence may never be disclosed to customers.
The Dark Side of open-source
The benefits of open-source are many and significant. open-source code speeds development cycles enables focus on core business functionality and tends to be more interoperable and easily customizable. And of course, open-source software is free – a fact that no cost-conscious enterprise can ignore.
Yet there is a darker side to open-source. Together with the benefits, open-source software and components carry hidden risks that can be potentially devastating. For example, look at Equifax. One of the most prominent and massive data breaches of 2017, in which PII from nearly 150 million customers was exposed, is now being blamed on a security flaw in an open-source component.
Many open-source security vulnerabilities have not yet been identified. Yet many - like Heartbleed, Shellshock and Poodle, to name just a few – are well known and documented. Despite this, a recent audit of financial industry applications by Black Duck found an average of 52 open-source vulnerabilities per application, with over 60% of applications containing high-risk vulnerabilities.
And there are even more hidden risks as open-source components and applications often suffer from reliability issues and unexpected runtime behaviors as a result of sub-par QA. open-source code can be preset to “dial home” to various sites, creating hazardous backdoors into mission-critical applications. And it has been known to carry embedded, yet dormant, malware – which can be remotely activated once the target application is resident in the enterprise data center. This occurs both because of the nature of open-source code – anyone can access and maliciously modify it – and owing to the fact that there's no vendor monitoring code and issuing security patches.
Enjoying The Benefits of open-source, Safely
open-source is here to stay and will continue to prosper. Organizations cannot avoid using open-source – it's imperative to remain competitive in today's hyper-competitive business ecosystem. The fact is, open-source code is running inside your data center - close to your most sensitive and valuable assets - whether you're aware of it or not.
DevOps and Security teams should be adopting tools that mitigate the risks of open-source by providing real-time visibility over open-source operation, monitoring actual code runtime activity. Because no matter what you do before runtime, you need to be sure that when open-source is misbehaving at runtime, you have the proper detection and protection tools to stop it from damaging your critical assets, your business and your reputation.