The meme about the CrowdStrike update failure spreads on the premise that such a thing will never happen. Of course, Microsoft is particularly vulnerable to such a thing. The U.S. Cybersecurity Review Board has even said that “Microsoft’s security culture is inadequate and needs a complete overhaul.”
So, could something equally catastrophic happen to Linux? Not exactly, but Linux systems have been hit by supply chain attacks like Heartbleed in the past. That doesn’t mean Linux is unusable. Likewise, the CrowdStrike problem didn’t make Windows unusable. This is the world we live in. Everything breaks down, everything gets hacked.
Of course, you should try to avoid failures and hacks, but true security is in how you respond when failures and hacks occur. This is why open source and open technologies in general are so helpful. Not because they are more secure or less prone to failure, but because they are easier to fix. Now is the time to stop dancing around Windows security breaches and focus on what really matters.
For Whom the Bell Tolls
Open source software is not more secure than proprietary software, but the processes for securing open source software are certainly secure. I have been saying this for decades and there is a lot of data to back it up.
But this only works if people follow the process. There’s a reason supply chain attacks succeed: people are reluctant to patch bugs that are available. Ten years after Heartbleed, tens of thousands of systems are still vulnerable. Why? Effectively inventorying enterprise systems is not easy, and patching older systems can be a complex task.
These problems are unique to each company, making it difficult to solve them at the industry level. But there is something that can be done. The Open Source Security Foundation (OpenSSF) has set out to improve the security posture of open source code while also providing education on security processes. It is a great effort. To me, it is the most important thing that OpenSSF and its parent organization, the Linux Foundation, do.
I also want to point out that this is something that the open source community generally needs to emphasize. The open source community is becoming gray. It is not wrong to say that “in order to change the world for the better with open source, we need to attract the attention of people who are not yet 30 years old.”
Change the way you talk
I would like to speculate that one of the reasons open source remains largely the preserve of older developers is the stubborn gatekeeping of the “right way” to do open source. They have been raised on a steady diet of what open source is, and they are fixated on the wrong open source issues. The biggest problem is not that companies are relicensing software. My company did that in 2019, to be honest. The problem is security.
As RedMonk’s James Governor first observed in 2013, when he called this group the “post-open-source generation,” the younger generation of GitHub coders don’t have the same concerns about open-source licenses that they once did. Open source is open, but they’re not pedantic about the underlying license. There’s a misconception that unlicensed GitHub repositories are somehow public domain, which is not how copyright works.
Given how important open source software is to security, this is where we need to focus. In other words, open source and open technologies are important, but not for the reasons we sometimes suggest. Instead of being grumpy old men about the definition of open source, we should spend our energy talking about processes for software security and how open source can help. That will be much more interesting and relevant to young developers who grew up in an era where “everything breaks and everything gets hacked” than boring discussions about licenses.
editor@itworld.co.kr
Source: www.itworld.co.kr
