Does Open Source Boost Security? Hortonworks Says Yes
Organizations are best served security-wise if they favor and adopt open source technology — especially enterprise open source — over proprietary alternatives, according to Hortonworks. However, not everybody agrees that open source software intrinsically is more secure.
It’s tough to argue that open source hasn’t brought significant benefits to the IT industry and the tens of thousands of organizations that rely on IT products to automate their operations. Starting with the introduction of Linux in the late 1990s, major swaths of the tech industry have shifted to open source development methodologies. That includes the vast majority of the big data ecosystem, which has been largely bootstrapped by various Apache Software Foundation projects.
It would be tough to find a more vocal backer of the benefits of open source than Hortonworks. The Santa Clara, California company has staked its reputation its capability to transform a variety of open source projects — including but not limited to Apache Hadoop, Apache Spark, Apache Hive, and Apache NiFi — into cohesive and enterprise-strength data platforms.
The company’s Vice President of Public Sector, Shaun Bierweiler, argues that none of the innovation that’s so palpable in the big data space today would be possible without an open approach to development.
“Innovation at the pace at which technology in the data space is coming — it’s really difficult to do that in a closed model,” Bierweiler tells Datanami. “When you think about integration points, and the various technologies and players coming to market, if you don’t have an open approach and open model and open interfaces, it’s really difficult costly and time-consuming to bring those pieces together.”
There’s clearly a strong correlation between open source and innovation in the big data space, and few would argue that open source has not been beneficial to many organizations. But there are other correlations around open source that are not nearly so beneficial, including the rise in security problems that has accompanied the increased adoption of open source.
The recent Apache Struts security vulnerability is a prime example of the potential danger. The vulnerability in the open source Web application framework was disclosed by researchers in early 2017, and a patch was issued soon thereafter. However, not every Struts user applied the patch in a timely manner. One of those organizations was the credit reporting firm Equifax. The Struts vulnerability is credited with enabling hackers to make off with 143 million records from Equifax.
This has led to questions about whether open source software is inherently less secure than software developed in a proprietary manner. Considering the huge investment organizations are making in open source software, it’s an important question to address.
Bierweiler maintains that open source is inherently more secure than proprietary software. He references a quote attributed to Linux creator Linus Torvalds, whom Eric Raymond had in mind when he wrote “given enough eyeballs, all bugs are shallow,” in his 1999 essay The Cathedral and the Bazaar.
“Software is software. The development model is very much the same in open source as it would be in a proprietary counterpart,” Bierweiler says. “I think defects are inherent to software of any kind.”
However, when you consider the depth and breadths of the open source community, Bierweiler continues, “The approach of having that many different individuals hammering it and searching through it, we do find that there’s a higher ability to identify defects before they become defects, or to address them much quicker due to the size of the community or the breadth of the exposure.”
Enterprise Open Source
That’s not to say that all open source is inherently better. Bierweiler differentiates between free and open source (FOSS) software and enterprise open source. FOSS is what you can go and download from a variety of Apache project sites or from GitHub, while enterprise open source takes FOSS a step further by instituting another series of quality and security tests.
You run a risk with FOSS, Bierweiler says. “I would certainly advise due diligence and scrutiny when installing FOSS components on any network,” he says. “It’s important to understand the source of the code and the process it’s gone through before you put it on your network.”
Hortonworks checks for flaws in open source software. Out of 1,100 employees, 250 of them are contributors or committers to the open source projects that compose the Hortonworks Data Platform (HDP) and Hortonworks Data Flow (HDF) stacks. But more critically, Hortonworks also checks for the presence of data-sucking security holes that can appear when two otherwise secure products are connected through a series of more than 10,000 integration tests.
It’s the security and scalability and stress tests that lets IT executives breathe a little easier when installing Hortonworks products, Bierweiler argues. “We’ll prioritize and expedite the inclusion of security patches and fixes into our platform so that customer don’t have to try to fix it themselves or search around for the answer,” he says.
However, not everybody shares Bierweiler’s view on open source software. Merv Adrian, the respected Gartner analyst, warned about the security risks posed by Hadoop over a year ago. “Unlike DBMSs,” Adrian wrote, “Hadoop software stacks have not had built-in security capabilities and, because they increase utilization of file system-based data that is not otherwise protected, new vulnerabilities can emerge that compromise carefully crafted data security regimes.”
Another questioning the idea that open source has intrinsic security advantages is Nik Vargas, the CTO and VP of Client Services at Switchfast, a Chicago-based IT firm, who argues that neither open source nor proprietary methods have any distinct advantages over the other when it comes to security.
“Both offer bug bounty hunting programs, and both have reasonable response times to patching valid vulnerabilities,” Vargas tells Datanami. “What determines the impact of an exploit is the installed base, the responsiveness of the developer, and the subsequent response time of administrators to implement patches.”
Vargas references two high profile exploits to make his case, including Heartbleed, a major vulnerability in an open source project, and WannaCry, a major vulnerability in a closed source product. “Both had patches deployed in a reasonable amount of time after the vulnerabilities were discovered,” he says. “However, the installed base and lack of action on the part of administrators make it possible to find systems that are still vulnerable today—independent of the software development model.”
Vargas advises customers to pick the software that bets addresses their particular use case, whether it’s open source or closed source. Beyond that, it’s critical to keep the software updated and layer in defenses such as a firewall with Intrusion Prevention System capabilities, and a Web Application Firewall.
Attacking Complex Surfaces
Ben Banks, European Security Director at Ensono, an IT services firm also based in Chicago, has a different take. He acknowledges that Torvald’s approach has some merit. However, he argues there’s no clear correlation between the number of eyeballs perusing code and the quality of the software.
“There are number of challenges to Linus’s Law which security professionals would be wise to acknowledge,” Banks tells Datanami. “In his classic book The Mythical Man-Month, Fred Brooks makes a number of compelling arguments against that assumption (the so called Brooks law that adding manpower to a late software project makes it later) and in the specific case of Linus’s Law, Robert Glass (in Facts and Fallacies About Software Engineering) claims there is no correlation between the number of bugs reported (KPI of quality) and the number of reviewers.”
The Heartbleed flaw, in particular, poses a problem for the idea that open source software has inherent advantages. “It has been argued that the presence of the Heartbleed exposes a number flaws Linus’s Law specifically in relation to security vulnerabilities,” Banks says, citing Bruce Byfield’s 2014 article “Does Heartbleed Disprove ‘Open Source is Safer.'”
While the open source community reacted quickly to Heartbleed once it disclosed, that doesn’t alleviate all concerns, Banks says. “Just because there is a patch available quickly does not mean it can, or will, be implemented quickly,” he says, citing the Apache Struts vulnerability. “Applying patches can be very complex, especially in business critical applications distributed amongst numerous interdependent systems and components.”
What’s more, Banks argues that the increasingly complex nature of today’s business systems — with numerous sub-components operating independently yet linked together to form a cohesive whole — poses a hazard in and of itself.
“No patch should be deployed without understanding and balancing the risks it may introduce to core functionality and any ripple effects it may cause within its deployment ecosystem,” Banks says. “Exploit developers have few such constraints when weaponizing known bugs into effective attacks. In a very real sense the openness of the open source process builds in the potential for asymmetries to exist between the efforts required for a robust defensive and efforts required for a damaging attack.”
Like many things in life, there is no clear answer to this question. The open source approach carries many benefits to those looking to innovate with big data and big data tech. In fact, it can be argued that this innovation would not be possible without an open ecosystem. However, that doesn’t take away from the real possibility that a large and open big data tech ecosystem, with all of its constantly moving parts, provides a bigger attack surface for exploit writers.
As with most things, there are tradeoffs to make. The one constant in this world is that constant vigilance is needed when deploying anything — including open source software.