-
Security is a looming issue for deployments based on open-source software, Kubernetes co-founder Craig McLuckie said
-
Maintainers of key foundational projects are aging out, leaving the software unattended
-
Enterprises also have a poor grasp on what open-source dependencies are in their systems
Craig McLuckie knows a thing or two about open-source software. Now the CEO of supply chain security startup Stacklok, McLuckie was one of the co-founders of the Kubernetes project back in 2013. So, when he says there’s an “existential” crisis looming over the cloud’s open-source foundations, you listen.
For years now, thousands of open-source software projects have been developed, maintained and advanced by a global army of volunteers. McLuckie characterized open-source projects as a sort of crowning achievement for humanity, representing the sum total of the world’s intellect. But he said there’s one big vulnerability that comes with collaborative approach: security.
“As the world’s changed, as it’s got darker, as hostile actors have become more sophisticated, you have this ecosystem, this playground in which they can start to do bad things easier. And that is going to become existential,” McLuckie told Silverlinings at the Cloud Executive Summit.
The worry, he continued, is that malicious open-source contributors may already be planting the seeds for massive security incidents.
“Existential” might sound like a bit of an exaggeration but it’s really not. According to the Linux Foundation, 90% of all cloud infrastructure runs on open-source Linux software, and has done so since at least 2017.
The Cloud Native Computing Foundation found open-source projects continue to rank among the most popular cloud solutions, accounting for 77% of open source monitoring, 71% of database and 39% of CI/CD implementations last year.
And if the 2016 Left-pad and 2021 Log4j incidents have taught us anything, it’s that tweaks to even small or obscure bits of open-source code can have huge impacts.
No easy fix
There are two issues that make the security problem a little tricky to address. The first, McLuckie said, is dependency sprawl. That is, many enterprises don’t really have a grasp on all the open-source software their applications are running. So, if a key stilt at the bottom is attacked, the whole stack could tumble.
“Every cloud provider will run a program where they scrutinize open-source dependencies” and ensure that everything their engineers use is appropriately vetted, McLuckie said. “They’re able to do that individually for themselves. But that’s not necessarily then made available to their consumers directly.” That means that while dependencies for the cloud infrastructure itself may be screened and secured, those of the applications enterprises run on top may not be.
Andrew Guenther, Principal Software Engineer at Orbital Sidekick and former AWS technical lead, said at the Summit that there’s also a population shift happening in the open-source community that could put less prominent projects in danger of becoming stranded (or, as McLuckie put it, becoming “abandonware”).
He noted that open-source as a philosophy has existed for nearly half a century at this point. But now that it’s really picking up steam “this generational problem is becoming real for the first time and you have these large libraries that they’re losing maintainers and they don’t have good candidates to replace them.”
Log4j is a perfect example of what can happen when a previously large and active community slowly fades away until just a handful of people are left to maintain the project, he said.
The struggle to bring in new contributors is real – especially for what are now deemed “legacy” projects that are “no longer sexy,” Guenther said.
“So, what happens to those open-source libraries? I think that’s a question that we’re only just now starting to grapple with because it’s becoming a problem for the first time,” he continued.
McLuckie added the problem “gets worse” when you consider that one of those handful of maintainers could be a hostile state actor, but concluded, “We have to move beyond the [common vulnerabilities and exposures] as the primary currency for open-source consumption."
He added, "We have to find a set of heuristics that makes sense based on the sustainability of the community that’s using it. We won’t be able to do this en masse, we won’t be able to just rip and refit everything. But we can at least start to identify the critical pieces, that toothpick that the rest of the internet is build on…and start to direct our resources toward bolstering that toothpick.”