[00:00:00] Stan Wisseman: Welcome to another episode of the Reimagining Cyber podcast. I'm Stan Wistman, and as always, I'm joined by my co host, Robert Rego. Today, we're diving into the evolving role of open source software and modern software development. There was a recent study done by Forrester that was commissioned by Open Text and included 236 open source projects and decision makers as far as the source of the study and 75 full time software developers in both Europe and the U.
[00:00:30] S. And the report revealed some interesting information we want to talk about today. We all know how important open source software has become in modern development that the survey showed that 70 percent of organizations reported that over half their coding efforts include open source software and.
[00:00:51] Yeah, we know that it's prevalent and it's used, but there are also some challenges and we'll get into both. So Rob, let's go ahead and get started.
[00:00:59] Rob Aragao: [00:01:00] So you actually touched upon one of the first areas I'll cover, which is just the rapid adoption of open source components within any development shop at this, at this point in time, some more than others for sure.
[00:01:12] But in that growth. What does it kind of break down to? What's the reasoning behind it? And it really kind of simplifies itself into three specific areas. First, it's, it's a competitive edge, right? It allows organizations to innovate much faster by leveraging what open source components are already out there and available for them that they can take back in, utilize, and again, allow them to deliver that solution at the end of the day that they're working on quicker to market. The other aspect ties into an opportunity for reducing costs.
[00:01:44] While reducing well, actually improving and optimizing your resources overall. And a lot of that really attribute itself back to the challenges that organizations have dealt with in the past and managing the processes, the integration associated to open source components. [00:02:00] So these, these open source components being available, these open source components being actually approved for an organization to use in development process allows them to move through developing new software.
[00:02:14] Updating some different software components, if you will, but again, reducing the cost associated to delivering that actual update or new software package out to the market. So again, really an opportunity for the organization to look at and utilize for reducing costs while improving the resources and optimization of the resources overall.
[00:02:34] And then a third piece ties back into the world that we live within, of course, around security as well as compliance, of course, right? So when you look at that. a lot of security concerns come along with open source components again, it is the majority of what you see code being built off of nowadays. But it's how do you actually ensure that those components are truly actually vetted out, the security controls are put in place any of the identified security [00:03:00] defects or vulnerabilities are actually associated to corrected and then again approved components for the organization to use. And then it allows them obviously to deal with actual prioritization of things around data protection, regulatory compliance that we've all seen and dealt with in the past as well. So again. If you kind of isolate that down to the rapid growth and adoption of a source comes it down to competitive edge driving reduction in cost while also entailing the security components that require to be able to stay in compliance,
[00:03:31] Stan Wisseman:Sort of like the wild, wild west out there.
[00:03:33] Right? I mean, there's full of opportunity. You know, great opportunity to leverage this. But at the same time, it's riddled some challenges you have to overcome, and I think the the study painted a pretty vivid picture of this. You know, one of the primary challenges is that again, the rigorous bedding and and of the of the possible security vulnerabilities or flaws that within these open source components.
[00:03:59] [00:04:00] And also trying to ensure that didn't buy noncompliance, right? And that takes a lot of time and resources to, to, to deal with that. And, and 83 percent of organizations that responded. To this study you know, also had the, you know, revised or completely abandoned code that failed to adhere to security or compliance standards.
[00:04:25] So that's, that's a pretty big ramifications. And if you think about some examples of this, I mean, you know, if a company leverages an OSS component that has known security vulnerabilities but they failed to Update to the more secure version of it. That oversight could be exploited by attackers and a, a prime example of that.
[00:04:45] That's pretty notable, right? Is law 4J. Mm hmm. Yeah. You know, and, and we've covered that in a podcast episode. I think it was episode 27. And again, if, if you aren't being very diligent. Especially when we're talking about around [00:05:00] when that incident happened, there were updates occurring on a frequent basis.
[00:05:03] They thought they fixed it and it wasn't. And then they had to keep another version out. And so organizations have to be on their toes. And then in the context of OSS licensing, you know, you can also get in trouble in that context. Right? You know, if you are incorporating OSS. And to, you know, proprietary product without adhering to those licensing terms.
[00:05:26] It could lead to legal action or copyright infringement and a well known example of this one as where VMware was sued. For their alleged infringement of a GNU General Public License, or GPL. The claim was back then, I don't know if you remember this one, but was when VMware had incorporated portions of the Linux kernel code, which is GPL licensed
[00:05:51] into their proprietary ESXi product without complying to the GPL terms, particularly the requirement around releasing the source [00:06:00] code of, of derived works, right? Which of course, VMware would not want to do for ESXi, you know, so that's another example where there's a potential gotcha as an organization.
[00:06:11] Another one is, again, developers might rely on OSS libraries that no longer are being maintained. So those projects may be dormant and so, you're leveraging code in your, your proprietary or into your, your build that may be unmaintainable, you know, in the sense that the project is no longer active.
[00:06:33] So you have to be aware of the health of the community of the software that's being developed. And so those are just examples of how you have to have a diligent management process and practices for open source software and your organization, recognizing that you, your developers are going to use open source software now.
[00:06:51] How are you ensuring that you're not going to trip yourself up in the process of leveraging it? So, [00:07:00] Rob, I think that's another aspect of the study as far as some of those inefficiencies and the impact of those inefficiencies to that management process, right?
[00:07:10] Rob Aragao: Well, it is, and let's build upon it a little bit.
So, so now let's think about again, that the open source management side of the equation that you've been talking about a little bit, Stan. And it kind of is the, the, the opposite side of the corner. What I talked about is some of the, the opportunities that it's presented with the rapid adoption. And that comes into when you're seeing open source policies put in place
[00:07:29] and development teams, you know, working again to leverage the open source components that they can. The policies at some points in time are actually delaying them. Right. So it's actually now we're going in the wrong direction. And we're not being so efficient. So what it's come down to is kind of, you know, broken down to a few different areas.
[00:07:48] The, you know, the study actually talks about how developers are spending up to those 5 hours for navigating through the different policies, right? Indicating kind of major loss of productivity. That's the causing a [00:08:00] lot of friction, if you will. Right? So frustration comes into play for the adopt for the adoption.
[00:08:04] Right. Right. Of the developers using the tooling, using the policies and the management processes put in place. We know on the invert side of it, we have to actually have those policies in place because again, we kind of go back to the security aspects of that, right? We don't want those incorrect components being used within the code, getting out and then causing obviously the ramifications of potential security breaches, compliance issues, and everything else that comes along for the ride that we've discussed in many, many episodes in the past.
[00:08:29] So The other aspect, then again, goes back to the reverse logic of what I talked about in opening up the, the opportunities it presents, which is, as you know, now we're looking at actually increasing the cost, right? Associated to the use again of poor OSS management processes and policies put in place so that there's different challenges and trade offs.
[00:08:49] But again, it's kind of a maturation process. When you look at it, I think at the end of the day, It should be much more on the positive side for rapid development in a secure fashion. But being able [00:09:00] to obviously make it that much easier for developers to truly understand proper policies are in place as seamless as you can possibly offer it to them will help everyone in the long game of obviously being able to use the different open source components they have
[00:09:14] Stan Wisseman: out there.
[00:09:15] Well, and that was one of the bright spots of the study, right, as far as how the role of automation is revolutionizing the way that companies can discover and integrate in these open source software components in a way that's helping to ensure that they're compliant as well as secure. And, you know, it's great to see that, you know, some of this innovation is helping streamline that process.
[00:09:36] Because so many organizations are still using manual methods to, and it's just a time drag for the developers as well as those that are auxiliary to them supporting this so supporting or leveraging automation is, is cutting down on that manual work, but it's also paving the way for more secure and compliant integration long term, [00:10:00] you know, so I think, I think the study indicated that a solid 88 percent of those surveyed believe that automating O.
[00:10:06] S. S. Discovery and intake could dramatically boost developer productivity, and the idea here is simple just by reducing that manual legwork needed to vet and integrate O. S. S. Or open source software developers can focus more on creating and less paperwork, right? And then in the matter of compliance, you know, again, with the automation side of things, identifying projects that don't meet the mark up front helps exclude a lot of wasted effort and time, right?
[00:10:37] So you don't have to find it out later in the process. That, Oh, well, Hey, if we actually use that open source component, we're now opening ourselves up to happen to release our source code to be compliant with the license. You know, they don't want to be, you know, those gotchas, right? And so that is a big top concern for especially the legal and compliance side of the house.
[00:10:59] And of course, we [00:11:00] can't overlook the financial aspect. If you are automating your intake process, it means you're avoiding a lot of that expensive rework. You're discovering these issues early on and it saves direct costs, but also spares the company a lot of those hidden costs for project delays.
[00:11:15] So, in short, Rob, I think, you know, automation, like we're seeing in many other areas, but the automation of this discovery Of OSS components that you can use are secure as well as being maintained properly, as well as being the licenses that you need to leverage in, your build is sort of like the trifecta of benefits, right?
[00:11:38] So it's again, enabling organizations to leverage open source software more effectively. So. We've sort of covered the state of today. I think Forrester also sort of speculated about future directions. So why don't you get into that?
[00:11:56] Rob Aragao: They did. They did. Yeah. So kind of, you know, looking forward, you, you touched a little bit upon this [00:12:00] topic of increased automation within OSS management.
[00:12:03] You know, and a lot of it comes into, as the report calls out, you know, this manual process of how you deal with open source components today needs to be obviously driven to be much more efficient through adopting automated tooling to be able to support that into the different platforms, you know, some of those different initiatives really drive and center themselves around streamlining the discovery.
[00:12:25] The evaluation and the integration of open source components themselves. So again, that will help overall the efficiency aspects. And again, reduce hopefully, right? The security vulnerabilities that are actually out there, which comes into the other part of future directions that they call that, which is again, security and compliance early in development cycle.
[00:12:46] We've never discussed that before, Stan. I think this is a new topic for us, right?!
[00:12:50] Stan Wisseman: Yeah. I've never heard of that!
[00:12:52] Rob Aragao: Right. So, so, you know, this again. Is the key principle of really focusing and prioritizing the effort as it [00:13:00] relates to as early as possible detection of any security and compliance related issues.
[00:13:05] And, you know, you've heard shift left for a long time. We're really driving much more of a topic within the survey itself and Forrester as it relates to start left. Right. So start left as the approach and emphasizing that approach really being able to you know, again, drive the standard practices very early awareness of there's this project in place that we're going to get ready to launch security at the table.
[00:13:28] But all of the aspects of open source lifecycle elements tied back into play right at the beginning. Right, right at the beginning of it, understand that there will be a project that we are getting ready to launch. And then the last piece that they call that is a real emphasis for future direction within this space is relative to collaboration and engagement.
[00:13:48] Right? So when you think about that you know, enterprises being able to leverage and share information within is important and still needs to improve always will. [00:14:00] But then also being able to be much more open with the open source communities themselves, collaboration, proper communication at the end of the day will help everyone.
[00:14:08] And then it can always. Wrap it, right? Wrap it with that security kind of aspect of really driving much more robust and compliant open source components out there and available for different projects that people can then leverage for their own purposes within their own enterprises as well.
[00:14:25] Stan Wisseman: Thanks, Rob. That was a good summary. Hey, I actually will be going up to Seattle to the Linux Foundation Open Source Software Conference in April talking about this topic. And if our listeners happen to be In Seattle on, you know, April 16th love to have you join the session. But, you know, we will also provide the link to the report down in the notes for the podcast.
[00:14:52] If you're interested in reading it yourself. You know, I think that the landscape for open source software continues to evolve. And it's [00:15:00] clear that, you know, as a community, we need to adapt. We need to have planning around what we're using. And we need the right tools to help unlock the full potential.
[00:15:08] So, Rob, until next time,
[00:15:11] Rob Aragao: Until next time Stan, it's been a pleasure.