Security is only a problem with open source if you do nothing
A little bit on being cool with security in open source usage (survey says!) and the usual collection of interesting words seen, stuff I've produced, and links I liked.
It's hard to know if there's too much stuff should be doing, or if I have it project managed well enough that I don't need to worry about it right now. Below, a little bit on being cool with security in open source usage (survey says!) and the usual collection of interesting words seen, stuff I've produced, and links I liked.
Suggested epigraph: “it’s pretty darn hard to protect a painting from somebody throwing a can of soup at it.”
Suggested Theme Song:
First, this
You should come to SpringOne, it'll be great for developers, operations people, and executives looking to get their outfit good at software. I'm guessing there'll be a lot of Spring announcements, some stuff from us on getting kubernetes setup for developers, and more. Check out the talks at SpringOne.io and use the code COTE200 to get $200 off.
Security is only a problem with open source if you do nothing
A tech news site asked me to do a video about our State of the Software Supply Chain Survey this year. Here's the little script I wrote.
Unsurprisingly, open source is used by almost everyone. When it comes to what I care about software development, open source is indispensable. In fact, it’s hard to imagine a developer who only uses closed source software, if not whole systems like kubernetes or Cloud Foundry for running their applications. It’d almost be impossible.
And, indeed, in our State of the Software Supply Chain survey this year, 2022, 90% of respondents said they were using open source in production.
Still, I wonder what those other 10% are doing!
Do they write all their own software? They’re not running Linux in production I guess, either.
What’s holding those 10% back?
- 44% selected we’re still figuring out how to manage OSS in production.
- 38% chose we don’t see sufficient support for open source software in production environments
- 34% chose we don’t trust open source software for production environments.
Benefits
There’s so much they’re missing out on. For all this praise about open source for me, what are the benefits of using open source?
80% of people said reduced costs. Now, a lot of people will tell you that open source isn’t free. What they mean is that the cost of labor to use and maintaining it (upgrading and security patching) in staff time and pay…but clearly people are benefiting from open source overall being cheap. And, of course, many companies pay for commercial support and closed source tools for the open source stuff they use.
Cost was also the number one benefit in our 2021 survey.
The other benefits were flexibility, support from a large community, and developer productivity.
All of these are the promises of open source and what we’ve come to expect over the decades. Indeed, if you look the reasons people chose open source and then the benefits they got, those expectations pretty much line up. For example, 50% of people said they expected developer productivity as a benefit, and 52% got that benefit.
Problems: Security
Let’s look at the concerns people have.
Security is what we should really dig into since it’s such a big concern. Now, I don’t think the concerns about security mean that open source is NOT secure. I don’t really think that’s the case at all. I think open source tends to be as secure as any other type of software, closed or run in the public cloud. What’s important is that you have the right process, packaging, and management in place. Again, this is important for anytime of software. Open source software is as secure, or, if you like, as insecure as closed source software. Make sure to get the right tools in place.
I want to add my own criteria for using open source that you should consider: make sure there’s a thriving, well supported community that you can depend on for the long-term. There’s two reasons for this: you want to make sure you’ll get community-based support when you’re learning how to use the OSS and troubleshoot it. Also, you want to make sure over the years that new, innovative features are added.
A thriving community will address these criteria.
Packaging and management
What you want to do is make sure that community and the vendors and cloud services you work with prioritize getting updates and patches out for their open source packages and services. And this is about more than “security”: it’s just upgrading to new versions of the projects you use to get new features and performance improvements.
You want to have the processes and tools in place to deploy those updates as soon as possible, ideally without taking down production and stopping the business from running.
The container-based applications that run in kubernetes and Cloud Foundry - both open source! - provide excellent ways to do this nowadays. For example, the US bank Wells Fargo runs many applications in containers and because of how open source is packaged and managed in their platform, they’re able to deploy updates multiple times a week without disrupting their applications and, thus, business. I’ve seen this across banks, government agency, retailers: you name it.
So what you see in our second survey, here, is that with the right tools and process in place, and managing how your open source is packaged, you can get tremendous benefits from cost savings to developer productivity. The added bonus is that these same controls for open source can be applied to your own code and software. Securing open source is important, but the more important problem to solve is securing your own software. That comes down to the same thing: tools, process, and package management.
Once you have those controls in place, you can get that innovation engine going.
My content
- Next week at the Peak IT conference, I'm going over the legacy trap book, my recent write-up (with my colleague Marc) on application modernization. Check it out!
- Week after next, it's VMware Explore Europe. If you're there, check out my talks. One is online, and the other in person.
- A couple Tanzu Talk episodes: The Missing Track at SpringOne and then our news episode this week.
- Software Defined Talk Episode 382: The Ultimate Dogfooding - This week we discuss Aboard.io, cutting cloud costs, commute hours and final thoughts on Google Next. Plus, Matt Ray goes car shopping.
- Software Defined Talk Episode 383: My bag did not make the flight - This week we discuss Twitter’s workforce, DHH leaves the cloud and Tech Earnings. Plus, some thoughts on international travel.
- And, some more "hurdles to digital transformation" shorts: Empowerment without clarity is chaos and Reluctant to Change Crusties.
Waste Book
- “At the end of this year, the feeling is of being a silent sandwich filling.” 🖇️
- And: “3.40am Awake trying to locate one worthwhile, nameable emotion that deserves this sleeplessness.”
- “those body parts can never take a holiday from each other.” 🖇️
- "In a sclerotic age lacking in deep foundation, the Manichean categories and heroic appeals of the Right can have a libidinal allure to those who yearn for transgression and rebellion." 🖇️
- "what I call tedious some people consider their personality" 🖇️
- Free dad wisdoms for this issue: you don't plan on having an accident, but you can plan for having an accident.
- 'Catsup meeting canceled because it was "overtaken by Wednesday mustard."'
- "There were a couple of days in which all I achieved was some exercise, cooking dinner, and ordering some Uniqlo pants." 🖇️
- "Of course she's hungry. I just came from a dinner and _I'm hungry." 🖇️
- And: "One can revisit the past quite plenty as long as one does so expecting every aspect of it to change."
Relevant to your interests
- a 6 person thumbnail team
- Wolverine’s 1000 Mile Old Rip Van Winkle Boot Batch III - I would wear them.
- Rats, Levers, and Parks: Designing Better Choices - "Then a smarter group of researchers had another idea. If you were stuck in a cage with nothing but food, water, and drugs, you’d probably pull that lever until you died too. Most of us would. I’d absolutely go full Scarface if the alternative was rolling around a cage suckling water hoping for salvation." - That is, animals will behave poorly if they have desperate conditions. They will give up if trapped in a cage and given the chance of bliss.
- Infrastructure for apps: Platforms for cooperative delivery - Alternate phrase for the platform engineering idea: "DevOps for Kubernetes." Maybe "DevOps4k8s"?: "In addition to its self-service paradigm, platform engineering also focuses on the needs of application developers and operators, the users of the platform. This increases PEs’ empathy for developers and other platform users and helps them gather feedback and iteratively improve to meet their needs, as product developers do for end customers. The shift in focus also better aligns platform development with an enterprise’s true value streams, rather than infrastructure teams being an out-of-band cost center. It’s not technical exactly, but empathetic relationships between platform engineering and application teams lead to better coordination of infrastructure capabilities and app requirements."
- Service Mesh Demand for Kubernetes Shifts to Security - “The number-one driver Linkerd these days is the security feature. That was surprising for us because when we came into service mesh as platform engineers, we thought Linkerd in the early days was about observability and traffic control, which are still useful, of course,” Morgan said. “Sometimes they’re almost apologetic, but I tell them they don’t have to be apologetic because it makes sense.”
- Broadcom CEO says hiking VMware prices is not his strategy - "I see Tanzu as a strategic part of the VMware software portfolio and it will remain that way as we move forward within Broadcom."
- VMware’s Inspirational Women: Spotlight on Whitney Lee - "I think perfection is boring. The human-ness and relatability is in the imperfections. I strive for progress over perfection."
- Why Cloud Finance Is Broken and Ineffective - "Optimizing costs is a later-stage task (read: afterthought) for engineers, because creating customer value always comes first. Sometimes that later stage never arrives simply because your engineers are focused on the neverending backlog of work that creates customer value.... Finance, given a lack of Engineering knowledge and no context provided by Engineering, is going to base decisions on the assumption that Engineering is doing the right things when it comes to AWS architecture and costs. That’s, uhh, not a bet I’d take.... [Putting non-technical people in charge of cloud costs is bad because they] have all of the responsibility for managing costs but none of the leverage needed. It results in a constant battle against engineering teams that don’t understand why they have to care about cost management so much, particularly if it’s not part of their compensation or promotion structure."
- Google Cloud Seeing ‘Significant’ VMware ‘Momentum’: GM - "How big of an opportunity here is VMware Engine for Google Cloud and your partners? I’m going to say 90 percent of these workloads are still on premise - more than 90 percent. And we all know the dominance that VMware enjoyed on-prem with VMs." This is similar to the AWS CEO saying, a few weeks ago, that we've just got about 10% of workloads in public cloud. And then, frequent reference to "60 percent cost savings on infrastructure" after moving to Google Cloud's VMware hosting.
- Disruption for Doctors: the Rise of Selfcare - "But guess what: consumers spend more money each year on AirPods than healthcare spends each year on EMR! And because of IT, consumers have been gaining new capabilities much more rapidly than the healthcare system." This is some fun thinking on innovation in large organizations and systems. First, are you actually spending the resources (time, money, and attention) to change things. Second, are you solving simple problems that have big productivity/improvement gains. Third, are you thinking about changing bottlenecks with automation (and, yes, cool new technologies if applicable).
- Mailbag: What isn't measurable? To hire as exec or not? - "At Calm, I’ve focused on measuring engineering through the number of features shipped, maintaining an agreed upon target win/loss/neutral rate for experiments (e.g. roughly one-third in each bucket), and whether we made exactly one big technical investment per quarter. For many folks asking for an engineering velocity measurement, this will meet their criteria, but it’s really more of an investment thesis. Even if we shipped more features one quarter than another, I wouldn’t actually believe that our velocity had necessarily gone up, it’s more likely that the features themselves were smaller."
- Digital transformation cannot escape tech despite vendors’ evolving value propositions - "Funky chairs only matter if you can physically sit in them"
- "Acting your wage" - "But what is a quiet quitter? From TikTok to consulting firms, the general definition of a quiet quitter is not someone who is actually quitting a job, but someone who is just performing only the tasks based on the job description. No extra hours or effort, meeting the minimum standards for the job and getting it done. National Public Radio (NPR) asked some listeners to help clarify the term and provide alternative names for quiet quitting. Acting your wage and doing your job are a couple of my favorite
- Platform Product Management Versus Platform Engineering - Yeah, hopefully all this platform engineering talk will return to platform as a product, figuring out post-Atlassian IDP stuff, and then cool SRE hacks and life-improvement through DevOps. Collapsing them all into one thing is getting kind of exhausting.
- Apple Announces Strange New iPad and iPad Pro Lineup - "This Lineup is Super Weird"
- Gartner Survey of Over 2,000 CIOs Reveals the Need to Accelerate Time to Value from Digital Investments - "CIOs’ top areas of increased investment for 2023 include cyber and information security (66%), business intelligence/data analytics (55%) and cloud platforms (50%). However, just 32% are increasing investment in artificial intelligence (AI) and 24% in hyperautomation."
- The B2C CMO’s Environmental Sustainability Blueprint - Holy crap that’s a huge difference! “In Europe, 57% of C-level leaders see sustainability as the main factor in business disruption; in North America, 24% of CEOs see climate change as a major risk.”
- Gartner Identifies the Top 10 Strategic Technology Trends for 2023 - > Gartner predicts that 80% of software engineering organizations will establish platform teams by 2026 and that 75% of those will include developer self-service portals.
- On the Spectrum of Application Modernization - "Over the past 5 years, businesses have ost an average 23 percent of their mainframe workforce; of those, 63 percent of positions remain unfilled." Plus, some general application modernization strategy think.
- Platform Engineering: What Is It and Who Does It? - Another go at the platform engineering thought-leader piece.
- What We Learned from Enabling Developer Self-Service - More for the "what is platform engineering?" pile.
- Most Government Orgs Fail to Meet Digital Transformation Objectives, Report Finds - "According to the report, only 7% of surveyed government leaders said their organization achieved its digital transformation objectives. "
- A Museum Security Expert on How to Protect Great Art - The Atlantic - > “it’s pretty darn hard to protect a painting from somebody throwing a can of soup at it.”
- US and Europe cloud prices to spike on back of inflation - "The cost of borrowing is rising in Europe. It went up by 22 percent in September, and the cost of energy reached record levels in the region last month."
Suggested Outro: