In late 2021, a vulnerability was detected in the Java logging package Log4j, which is the most popular framework for logging in Java. It is used in millions of applications. Not only that, but it is used as a dependency in over 7,000 open-source projects, according to research from security software company Sonatype.
Given the widespread impact of the vulnerability of this package, it sparked a renewal of the conversation into supply chain security.
According to Javier Perez, chief evangelist for Open Source & API Management at OpenLogic by Perforce, a software supply chain is all of the components that exist in a piece of software, including any dependencies. Supply chain security is this notion that if one piece in your supply chain is vulnerable, the whole thing is vulnerable.
With Log4j, this meant that any company that used a piece of software that used Log4j was vulnerable, even if they themselves weren’t directly using the package.
It’s not just Log4j that companies need to fear. According to Sonatype’s 2021 State of the Software Supply Chain report, 29% of the most popular open-source projects contain known vulnerabilities.
The report also contained the daunting stat that there was a 650% year-over-year increase in supply chain attacks in 2021. “Members of the world’s open-source community are facing a novel and rapidly expanding threat that has nothing to do with passive adversaries exploiting known vulnerabilities in the wild — and everything to do with aggressive attackers implanting malware directly into open-source projects to infiltrate the commercial supply chain,” Sonatype wrote in its report.
Despite these threats of supply chain attacks, open source is thriving more than ever and most people tend to trust it more than proprietary or commercial software. Red Hat’s 2022 State of Enterprise Open Source report found that 89% of IT leaders think enterprise open source is either as secure or more secure than proprietary software.
The top reasons to love (or hate) open source
In OpenLogic by Perforce’s 2022 State of Open Source report, the company asked respondents why they choose open-source software and then compiled a top five list.
According to the report, the top five reasons companies are turning into open-source software are:
- Access to the latest technologies
- No license cost, or overall cost reduction
- Enables modernization of their technology stack
- There are many options
- Constant releases and patches
“Most, if not all, the innovation is happening in the open and open-source software,” said Perez.
However, the report also gathered the top four reservations companies have when it comes to adopting open-source software. These include:
- Lack of in-house skills to test, use, integrate, or support the technology
- Restrictions of some open-source licenses
- It doesn’t scale as well as proprietary software
- Lack of real-time support
Fortunately, these reservations can be addressed by leveraging enterprise open source rather than trying to go it alone.
What is enterprise open source?
Enterprise open source is a category of open-source software in which a company offers support for a specific project.
Red Hat technology evangelist Gordon Haff says: “The way our CEO, Paul Cormier likes to describe it is it’s enterprise software developed using an open-source development model. You get the benefits of an open-source development model where you’ve got different organizations cooperating on doing development. So you get that advantage of the open-source development model, but at the same time customers can treat it — I wouldn’t say they can treat it as proprietary software — but they get the same kind of support process, process, and so forth that they would hopefully get from any software.”
Adding to this, in a blog post from Red Hat: “To be what we’d call enterprise open source, a product requires testing, performance tuning, and be proactively examined for security flaws. It needs to have a security team that stands behind it, and processes for responding to new security vulnerabilities and notifying users about security issues and how to remediate them.”
According to Perez, there are a number of ways to commercialize an open-source project, but the most common one today is through the open-core model. In an open-core model, a company takes an open-source project and then adds functionality on top of it.
Perez explained that commercialization of open-source software has been particularly successful in the database space.
Another example is Kubernetes, for which there are hundreds of companies that offer products built around Kubernetes. “There are a lot of people out there for whom a managed Kubernetes service [makes sense]. They don’t want to have to hire a bunch of SREs to operate Kubernetes,” said Haff.
Security and enterprise open source
While security isn’t necessarily the only draw for enterprise open source, Red Hat’s survey shows that customers value it for a number of reasons relating to security.
- 52% like that security patches are well-documented
- 55% like being able to use well-tested open-source code in their applications
- 51% value that vulnerability patches are made available quickly
- 44% appreciate that there are more people reviewing and testing the open-source code
- 38% like being able to audit the code, which isn’t something they’d have access to if purchasing a proprietary solution.
According to Haff, when they started the survey four years ago, the number one benefit of enterprise open source was lower cost of ownership, but steadily over time attributes like security and high-quality software topped the list of benefits.
“I think in general, people are just seeing that open source and enterprise open source is just better software than proprietary,” said Haff.
However, Haff did emphasize that security is still the responsibility of the company, not the software provider. Even though these enterprise open source vendors might be providing quick patches to vulnerabilities, the companies still need to have the processes in place to apply those patches and also to know what software they have in their stack.
Companies still need in-house skills
OpenLogic’s 2022 State of Open Source report found that 41% of respondents struggle to keep up with patches on open-source infrastructure projects.
According to Perez, a reason for this is not that companies don’t have enough people on staff to manage this, but that the people they do have are inexperienced.
“[In the report] we also ask what were some of the barriers or concerns for you to adopt more open-source technologies? And the number one answer was the lack of access to skills, the expertise or the proficiency to do so,” said Perez. “Many people want to, for example, make more use of cloud native, more use of containers, more use of Kubernetes. And, they don’t do it just because they don’t have the skills, or don’t have the people with the proficiency and expertise to do it.”
Buying commercial software doesn’t really solve this issue, according to Perez. Sure, a company might be able to pay a little extra to get additional services or consulting, but “the ability to have someone to call, someone to assist on the configuration, that’s the other piece,” said Perez. “One thing is just keeping up with the patches, but the other piece is how do you properly configure the software, especially at a larger scale? And when companies are scaling up they need more software infrastructure? How do they configure it? How do they architect that and that’s where the need for skills becomes much more important. And that’s a fact. I mean, there are 1000s and 1000s of job openings right now for open-source skills.”
Haff reemphasized this need for companies to still have in-house skills to take advantage of the frequent patches that an enterprise open source vendor would provide.
“They do need to have processes in place,” said Haff. “And even if they’re buying enterprise open source software where there are patches made available rapidly, they still need to have the processes to apply those patches and to know what the software they have is out there. So you know, just because you’re using enterprise open source, or for that matter, just because you’re using Microsoft Windows, doesn’t mean you can go ‘oh, my vendor is taking care of security for me and I don ‘t need to think about it.’ Obviously that’s not the case.”
How to pick an enterprise open source vendor
The more popular projects likely have several different companies to choose from, with varying levels of support. Going back to the example of Kubernetes, there are fairly vanilla options for Kubernetes or there are options where things like monitoring, logging, CI/CD, distributed tracing, and other development tools are integrated into the platform, according to Haff.
“So if you try and do it yourself, there’s an awful lot of integration there. And really, Kubernetes itself is just the start of the story,” he said.
Haff says there are two main questions to ask when looking at solutions. First, do you want to have it on premises? And why is that? The second question would be what sort of skills are there in-house?
According to Haff, Red Hat finds that a lot of people who are struggling to adopt containers are struggling because of development staff or resources not being sufficient for their needs.
“Ultimately, if you’re going to be running Kubernetes clusters on prem, you’re gonna need some level of SREs and other people that I know how to do that,” he said.