Why Cloud-Native Companies Should Support Open Source
Open source software (OSS) makes up the bedrock of our digital lives. And naturally, OSS is the foundation for most modern cloud-native infrastructure. In fact, a recent report from CNCF found a rise in open source projects to support the cloud-native movement. The CNCF study found that 96% of organizations now use Kubernetes. And in the past year, other cloud-native open source projects have grown exponentially too. For example, containerd adoption grew 500% year-over-year and Prometheus monitoring software grew 53%.
Think an app is not using open source software? Think again—the majority of the time, you’d be wrong. In fact, 90% of enterprises now use open source. But in the wake of incidents like Log4j, all this reliance on open source for cloud-native architecture has sparked concern about whether or not we can trust the security and reliability of these projects. National Security Advisor Jake Sullivan recently stated that “open source software is a key national security concern.” Granted, it can be tricky to validate the provenance of each project and fully comprehend its low-level functionalities. Due to their sheer complexities, becoming an expert in every open source tool a company embeds would take several lifetimes.
Still, the benefits of open source greatly outweigh the potential concerns—in addition to being freely available, open source increases portability and interoperability within the tech market. Plus, with so many developers contributing to a project, weaknesses and vulnerabilities can be discovered and addressed more quickly. Still, according to James Arlen, CISO, Aiven, companies should consider taking a more active role in nurturing these core projects. He recently shared with me some specific actions companies can take to nurture the OSS they rely so heavily upon.
Promoting the Common Good
Open source software can help organizations avoid being held hostage by a single cloud, allowing for multi-cloud environments. But reaping the benefits of open source indeed requires communal input. According to Arlen, the onus is on companies to incentivize the improvement of OSS as part of the common good. So, what are some ways to support and improve open source?
One method is direct monetary contribution. Arlen describes how at Aiven, the company pays salaries for security team members who spend half their time explicitly working on open source projects. Also, the company has contributed financial incentives for open source bug discoveries, even when the official open source project maintainers themselves had no bug bounty program. “A commitment to open source helps balance capitalist motives with the public-good nature of open source,” he said.
Aside from direct monetary contributions, Arlen encourages more developers to take an active role in contributing to core packages that affect the broader ecosystem, as vulnerabilities in an underlying package, like Fedora, could impact many upstream services. Often, exposures are unintentional and only arise when two strains of code are combined, as was the case with a bug found in an implementation of Apache Flink-as-a-service, says Arlen.
One for All and All for All
Open source projects have flourished due to significant communal effort. Arlen compares it to how Wikipedia usurped Encyclopedia Brittanica as the means to organize society’s collective understanding. Supporting open source does require effort, but there’s a sweet spot when all parties feel like they gave a bit too much, says Arlen. “Open source is really an implementation of Nash’s Theorem. If everybody doesn’t quite win, we all win.”
It sounds like an idealistic trope, but it’s true that we tend to get farther when we help each other. Therefore, companies have an ethical reason to contribute directly to the projects they consume. While that might sound like an enormous burden, the effort doesn’t have to be that substantial. “If everyone submits one article, in the blink of an eye we have Wikipedia,” says Arlen. “The same thing happens in open source.”
And, contributions don’t have to be purely technical, either. For example, there is certainly space for technical writers to build out better documentation for open source projects. “Contributions should be of material outcome, but they don’t need to be significant,” Arlen explains. If everyone volunteers, say, four hours a month toward fixing a bug in open source projects, the software world would be inherently safer. On that note, no test suite catches everything. Another helpful way to contribute is to submit bug reports to project maintainers.
Give Back to Cloud-Native Open Source
“Any sufficiently advanced technology is indistinguishable from magic,” in the words of Arther C Clarke. And many open source packages work like magic to the beholder. “There is no human that understands all of Linux or all of macOS,” says Arlen.
As such, it’s impossible to avoid vulnerabilities altogether, and complexity won’t cease to exist whether the software is open or closed. But open source’s transparency is another of its great strengths, as it affords greater visibility into bugs and vulnerabilities.
We can’t get rid of open source. Top open source packages from the CNCF, for example, have been maturing for years and are relied on by thousands of software teams. And though directly using open source packages requires overcoming some maintenance hurdles, many abstractions exist to streamline their use. For example, most companies adopt Kubernetes via managed services such as EKS or GKS. Still, open source is at the root of these platforms and must be nurtured.
Instead of punishing open source for its shortcomings, we need to build societal patterns that support this idea of the common good, says Arlen. Perhaps one day, this could materialize as a government-endorsed digtial ‘park ranger’ corps, whose responsibilities include upkeep of the digital infrastructure the globe relies on, he speculates.
In the meantime, open source users have some actionable items: Give back to the community, introduce bug bounty programs and contribute however you can, even if it’s immaterial, Arlen advises.