Open Network Featured Article

Black Duck CTO Talks Open Source, Security at AstriCon

September 28, 2016

Businesses have broadly embraced open source, enabling greater opportunity to add new functionality to applications. But organizations need to pay attention to the security of this software and be proactive in addressing vulnerabilities when they come to light.

That was the word from Bill Ledingham, CTO and executive vice president of engineering at Black Duck Software (News - Alert), who this morning provided the keynote speech at AstriCon. The event, taking place this week in Glendale, AZ, is being staged by Asterisk creator Digium Inc.

Black Duck and North Bridge Venture Partners for many years have done open source software surveys, Ledingham said. The most recent survey showed open source is not just going mainstream, it’s now the de facto approach many companies use for software development and for applications they are consuming internally within their organizations, said Ledingham. So in the last decade, he added, open source has gone from a niche technology to a top-of-mind exercise in how organizations roll out new capabilities and services.

A lot of the young developers are now well-versed in open source, and applications are assembled as opposed to being written from scratch – with open source components being used as the building blocks. Componentization drives reusable functionality, makes components and subcomponents easier to test, and make it easier to add functionality, he said.

Open source is appealing, Ledingham said, because it reduces developer costs, frees developers to work on other tasks, and accelerates time to market for new functionality. Open source can be found in up to 90 percent of apps and services today, he added.

Today more than 1.5 million open source projects exist; about 8,500 websites contain open source software; and more than 2,400 different license types are in use today. Open source is playing a key role today in cloud platforms (such as Cloud Foundry and Openstack), containers (via companies like Docker, Red Hat (News - Alert), and others), big data (including companies and environments like Apache Storm, Hadoop, mongoDB, MuleSoft, and MySQL), mobile (Android), IoT (IOTivity, others), and machine learning (BVLC, Spark, and TensorFlow).

Open source is also closely aligned with the DevOps trend, he said, explaining it is used from source code management systems all the way to deployment in production environments. That way, developers no longer throw their software over the fence to QA and then to production; rather, instead organizations make the lifecycle seamless, with the product automatically tested along the way, so there’s not a long, manual QA process.

A lot of what’s happening with DevOps is not new, he added, it’s borrowed from what has been happening in manufacturing. It’s about how to shorten the time from a new idea being hatched to extracting value from that idea.

But while open source has moved forward significantly, and enabled businesses to be more efficient and effective in the process, open source does have its challenges, Ledingham noted. Specifically, he said, open source security and management practices have not kept pace with rapid adoption, and, in the wake of high-profile breaches (like Heartbleed), more emphasis is needed on security. And he mentioned the following statistics:

  • 67 percent applications reviewed contained open source security vulnerabilities;
  • 40 percent of open source vulnerabilities in each application were rated severe;
  • 105 is the average number of open source components in each application;
  • 22.5 is the average number of open source component vulnerabilities in each application;
  • 1,894 days is the average age of open source component vulnerabilities at scan time; 
  • 10 percent of applications included Heartbleed vulnerabilities.

“Open source code is just as secure as the commercial code,” he said. “But part of the challenge is everyone, as consumers of the open source, it is really up to you as an organization to know that a patch exists and to go out and” get and implement it.

Edited by Alicia Young