Jason Pufahl 00:10
Hey, guys. So today, we’re going to talk a little bit about a story that we saw recently where there was some, I mean, I guess I’ll call them significant investments being made to the open-source software community. I say that because I think, what, what was the number $30 million, potentially being pledged as an investment?
Matt Fusaro 00:37
Yeah, as the as the initial funding, yeah.
Jason Pufahl 00:40
Which, yeah, it’s a fair amount of money, right? I don’t know that it’s going to mean the biggest change at some of these open-source security platforms necessarily. But, you know, for us, I think the takeaway largely was, it’s great to see an investment being made by, you know, things like The Linux Foundation, or, or frankly, right, the Amazon, Google, Microsoft, etc., you know, large companies making investments in some of these open-source projects.
Steven Maresca 01:06
Yeah, I think their commitment is intended to increase over time, it’s a reflection that they, even as companies that are producing proprietary software, are in some capacity dependent on open-source tools. And that’s an interesting acknowledgement, especially for, you know, Microsoft, which traditionally has, you know, avoided this subject like the plague.
Matt Fusaro 01:29
They’ve gotten better. I will say that, I don’t typically give Microsoft credit where it’s not due. But, yeah, they’ve done a decent job.
Steven Maresca 01:39
And I agree with you completely. It’s just that the popular perception for 20 years has been the opposite.
Matt Fusaro 01:43
Oh, for sure.
Steven Maresca 01:44
This is a relatively new trend that many people may not be aware of. I think that it’s appropriate for investments to be made by the larger technology entities. But I do think it’s important to say, for those who might not be aware that open-source products, open-source projects in general, already have sort of implicit funding. Great example, you know, Linux itself, The Linux Kernel, Java, as ecosystems, you know, a lot of the application servers that exist, they are fundamentally built by staff employed explicitly by the bigger technology entities for no other purpose. Intel, for example, employs a boatload of engineers to implement hypervisors on their chips.
Matt Fusaro 02:30
Oh yeah, their code shows up in quite a few projects. I mean, almost the entirety of The Apache Project has corporate backing somehow, right? Whether it’s just they pay, they literally will pay software engineers just to work on open-source software. Right? Even if they don’t necessarily own license to it, they rely on it so much that they need to make sure that it’s kept up.
Jason Pufahl 02:53
Yeah, I think, for me, what I took away from this as I started to think about the types of folks who were listening to the podcast, is, using open-source, maybe as opposed to potentially using commercial products, right. And, you know, an investment like this, I think it’s just sort of further evidence that those products are reasonably well-maintained. Often, you know, they’re securely written with some significant potential peer review, as a result of this, right. The takeaways don’t avoid open-source necessarily, just because you think it’s not your commercial off-the-shelf software.
Steven Maresca 03:30
Right. And I consider it sort of false dichotomy. It’s not open-source, or proprietary software, most proprietary software these days, and I mentioned, you know, sort of a prep for this episode, VMware, just as sort of an example case. Their platform, their virtualization platform, has an enormous disclosure list of open-source software. And really, the dynamic between open-source or proprietary is, how much are you willing as an organization to support it yourselves with your own staff.
Jason Pufahl 04:02
And licensing? Probably.
Steven Maresca 04:03
Exactly. That’s really the decision between one or the other. The context that we’re talking about here in terms of funding explicitly for security projects, or security maintenance, really, I think is a reflection that open-source software is innate, it’s embedded in the underpinnings of the internet, in the really, really profound tools that we use, as technologists, and therefore, as sort of a foundational element, needs to be shored up, needs to be audited, needs to be improved.
Matt Fusaro 04:39
Yeah, I mean, they specifically call out a few things in here, which I agree with, you know, there’s a lot of projects that are highly utilized by written in either all languages quite honestly that just aren’t up to the standards that we have now. So they’re looking to convert a lot of those things. They specifically called out C and C++ which I found funny. One thing that I definitely want to address in this is that, you know, they’re saying that their total investment, they’re estimating $150 million, I think they’re way off on that one.
Jason Pufahl 05:13
You think they should invest more, is that what you mean?
Matt Fusaro 05:15
Absolutely. I mean, if you just think about the cost of a developer these days, you’re talking, depending on your location, talking to anywhere between what, like $75,000 to $300 grand, depending on what you’re asking them to do, right, or to put a project together. On that scale, you got a decent sized team, but they’re not going to solve all of open-source’s problems.
Steven Maresca 05:38
Yeah, I think we’re talking about magnitudes that are more in-line with corporate valuations as being necessary to support the ecosystem appropriately. You know, this is a starting point. And it’s not exactly the first time it’s happened. There are bug bounties and, you know, public support for security as an end, in general. But this is a really substantial reinvigoration of that.
Matt Fusaro 06:01
Yeah, I agree. I think a lot of this probably came out of something like a Log4j.
Steven Maresca 06:06
I believe that as well.
Matt Fusaro 06:08
Correct me if I’m wrong, that was mostly unmaintained for a while, there’s one contributor that wrote the entire thing. And that’s that, and then we add that whole situation.
Steven Maresca 06:18
Right, right. I think it’s a recognition that a lot of perceived to be mature, and, you know, “finished software” is embedded everywhere, right. And it just requires attention, and caring and feeding just like everything else. Elements of this plan that they’re, you know, helping to deliver and fund with the $150 million potential investment include educating and certifying developers and secure programming, creating actual metrics for reporting security, you know, essentially trying to facilitate security as an overall practice and discipline we’re talking about even during security incidents, code review, that type of thing. It’s broader as a subject.
Jason Pufahl 07:06
So I have nothing to say now, because that’s exactly, exactly what I was going to say, which was I like the emphasis on the training aspect, right, the emphasis on ensuring that security is being developed. I think that’s really important. It’s not just about creating tools.
Steven Maresca 07:20
Matt Fusaro 07:21
Yeah, access to tools too, right, is important. And what I mean by that is, you know, back, back when I was writing more software than I do these days, one of the hardest things to do is to use some of the more unattainable analysis tools that you could put your code through for things that will do analysis to uncover bugs that you may have reduced, right? Those things cost thousands of dollars at the time. Now, I mean, it’s either completely available for free, or hopefully, projects like these are going to make those things available to developers a little within grasp.
Steven Maresca 07:53
Right. It used to be the case that if you were an open-source project of some kind in a provable fashion, you could make a request of a company providing one of those tools, and they might have a program for providing it, you know, not for resale license or something like that. But that was an exception, rather than the norm.
Matt Fusaro 08:12
And usually went to unmonitored email boxes.
Steven Maresca 08:15
These days, it’s sort of more community good effort that’s actually part of public relations, I’d say.
Matt Fusaro 08:23
Yes, I agree.
Jason Pufahl 08:26
So, I don’t know if there’s a ton more to talk about necessarily relative to this. I think it’s mostly we wanted to make sure we brought it to folk’s attention. I think the investment is definitely important.
Steven Maresca 08:38
I would say, you know, in general, it’s important to understand that open-source software is no more or less secure than closed-source software. And the same is true in the other direction. It’s about quality of security practice, it’s about diligence of actual developers. And the truth is that when you’re building a product, whether it be for fun, or an open-source project, or an enterprise that is trying to ship something quickly, emphasis is not always on secure coding. And it takes effort that is orthogonal to the actual effort of building that tool. Therefore, security is always a secondary process and second thought, regardless of the type of software. So this is essentially a statement to say, don’t fear open-source security, the investment is not necessarily an expression of a problem. It’s an encouraging statement that the big players in the industry are trying to support something they know, that is shared between all of them.
Matt Fusaro 09:38
Yeah, and if you’re bringing an open-source project into your security stack, or even if it’s not security, if you’re bringing open source in, then, you know, just do dual research on how it’s actually supported. If you go and look at a project on GitHub, and there’s, you know, 800 open issues and no one’s addressing them, probably not the best option of greeting your environment, right?
Jason Pufahl 09:59
Right. Actually, you know, it’s an interesting point in the sense of when you’re doing an evaluation of you say, commercial software, or maybe a SaaS, SaaS vendor or something like, you’ve got tools to turn to right, they might have some sort of cloud assessment that they’ve done. Or they might have a sock too that talks about their company, it might be a little trickier in some of these in some of the open-source projects to really understand what the security risks might be short of spending some time combing through some of the resources that are there.
Matt Fusaro 10:29
Yeah, and there’s a lot more resources available these days than there used to be as well. There’s even built-in tools on a lot of the projects now, that will scan for those types of things.
Steven Maresca 10:40
In plenty of open-source projects that have code audit, attestations, and so forth.
Jason Pufahl 10:44
Steven Maresca 10:45
Absolutely, the different landscape today.
Jason Pufahl 10:48
If people are interested in sort of getting a better understanding of that, you can Google the Open Source Software Security Mobile Mobilization Plan, you know, that’ll give you some clarity into what we’re talking about, as well. And bring up a whole variety articles sort of on this subject, if there’s interest. And as always, right, if anybody’s interested in learning a little bit more about or wants to chat with us about it, you know, hit us up on LinkedIn at Vancord or Vancordsecurity, Twitter. We’re happy to continue the conversation. And with that, yeah, we hope somebody took something away from this, a little bit of value, and we appreciate everybody listening.
Stay vigilant, stay resilient. This has been CyberSound.