Last year, while speaking at RSA, a reporter asked me about container provenance. This wasn’t the easiest question to answer because there is a lot of nuance around containers and what’s inside them. In response, I asked him if he would eat a sandwich he found on the ground. The look of disgust I got was priceless, but it opened up a great conversation.
Think about it this way: If there was a ham sandwich on the ground that looked mostly OK, would you eat it? You can clearly see it’s a ham sandwich. The dirt all brushed off. You do prefer wheat bread to white. So what’s stopping you? It was on the ground. Unless you’re incredibly hungry and without any resources, you won’t eat that sandwich. You’ll visit the sandwich shop across the street.
The other side of this story is just as important though. If you are starving and without money, you’d eat that sandwich without a second thought. I certainly would. Starving to death is far worse than eating a sandwich of questionable origin. This is an example you have to remember in the context of your projects and infrastructure. If you have a team that is starving for time, they aren’t worried about where they get their solutions. For many, making the deadline is far more important than “doing it right.” They will eat the sandwich they find.
This year at RSA, I’m leading a Peer2Peer session titled, “Managing your open source.” I keep telling everyone that open source won. It’s used everywhere; there’s no way to escape it anymore. But a low-cost, flexible, and more secure software option must have some kind of hidden downside, right? Is the promise of open source too good to be true? Only if you don’t understand the open source supply chain.
Open source is everywhere, and that means it’s easily acquirable. From cloning off of github to copying random open source binaries downloaded from a project page, there’s no stopping this sort of behavior. If you try, you will fail. Open source won because it solves real problems and it snuck in the back door when nobody was looking. It’s no secret how useful open source is: by my guesstimates, the world has probably saved trillions in man hours and actual money thanks to all the projects that can be reused. If you try to stop it now it’s either going to go back underground, making the problem of managing your open source usage worse or, worse still, you’re going to have a revolt. Open source is amazing, but there is a price for all this awesome.
Fundamentally, this is our challenge: How do we empower our teams to make the right choices when choosing open source software?
We know they’re going to use it. We can’t control every aspect of its use, but we can influence its direction. Anyone who is sensitive to technical debt will understand that open source isn’t a “copy once and forget” solution. It takes care and attention to ensure that you haven’t just re-added Heartbleed to your infrastructure. Corporate IT teams need to learn how to be the sandwich shop - how do we ensure that everyone is coming to us for advice and help with open source instead of running whatever they find on the ground? There aren’t easy answers to all of these questions, but we can at least start the discussion.
In my RSA Peer2Peer session we’re going to discuss what this all means in the modern enterprise:
- How are you managing your open source?
- Are you doing nothing?
- Do you have a program where you vet the open source used to ensure a certain level of quality?
- How do you determine quality?
- Are you running a scanner that looks for security flaws?
- What about the containers or Linux distribution you use, where did that come from, who is taking care of it?
- How are you installing your open source applications on your Linux or even Windows servers?
There are a lot of questions, too many to ask in a single hour or day, and far too many to effectively answer over the course of a career in IT security. That’s okay though; we want to start a discussion that I expect will never end.
See you at RSA on Tuesday February 14, 2017 | 3:45 PM - 4:30 PM | Marriott Marquis | Nob Hill C