Distressed over OSS in Inverness

Distressed over OSS in Inverness

Dear Sloan,

I started a new job with a software development company at the end of last year. I work in HR but am in a physical workspace with the development team. It seems like all these folks talk about is something called “OSS”. I’ve done some searching and have come up with a few possibilities as to what they are talking about. What is OSS? Why is it always a topic of conversation here?

PS: I should mention that I intended to send this question at the end of last year, but something called “Log4j” (??) popped up, and…well…things got pretty busy.

Thanks,

Distressed over OSS in Inverness

Dear distressed, 

“OSS” has meant several things through time, but the most likely fit given your environment is the acronym for “Open Source Software.”

What is Open Source Software?

Open source software, in short, is software with source code that anyone can inspect, modify, and enhance. 

Opensource.com dives a bit deeper: 

“Source code” is the part of software that most computer users don’t ever see; it’s the code computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Programmers who have access to a computer program’s source code can improve that program by adding features to it or fixing parts that don’t always work correctly.

The benefits of OSS are many and are generally centered around the ability to “own” the piece of software with which a developer is working. When you work with proprietary (or non-OSS) components, you’re at the mercy of the creators. They can change it, break the ways in which you use it, or kill it off entirely. With OSS, when you have the source code, you call the shots.

Pretty neat, right?

Well, usually.

OSS Risks

Think of OSS like the Wild West. When no one is in charge, everyone is in charge, and if Hollywood is any indicator, the Wild West had its bad guys. The world of OSS is no different. The very thing that makes OSS great – – the openness of it – – can also make it risky. According to DevOps.com’s Abhishek Arya, attacks on OSS are on the rise. In 2021, open source supply chain attacks grew 650 percent!

Funny you should mention Log4j, as that was one such attack. I won’t get into the specifics here, as that’s been well-documented. In essence, the bad actors found a flaw in a very popular piece of software. 

So while the experts were scrambling to identify and measure its impact, the cybercriminals were looking to exploit it. Globally.

Vulnerabilities, like the one in Log4j, are generally pretty easy to find. So why didn’t someone find it?

Well, you’d have to look for it.

Mitigating OSS Risk

In software development, Linus’s law states “…given enough eyeballs, all bugs are shallow.” 

The issue with identifying vulnerabilities hinges on the fact that there aren’t enough eyeballs on them. OSS doesn’t have a payroll, and you’d need an army to pour over every line of source code and advise on the appropriate path based on their findings.  

But all is not lost. The white hats in the Wild West of OSS come in the form of systems and practices designed to mitigate the inherent risk of using OSS components. One popular concept is that of Shifting Left, or introducing OSS security at the beginning of – and throughout – development. Another is the creation of a Software Bill of Materials, or SBOM, or a line-item list of the software components in use in a given application.

While it doesn’t end here, these two practices can certainly limit the potential of total panic in your new workspace. Hopefully this helps!

Stay safe,

Sloan

Add your other questions in the comments below! Keep in mind, there are plenty of Sonatype blog posts, and a dedicated guide on OSS. Check out Sonatype courses, or take a look at our video on how to find and fix log4j.