Open source code recycling: Know your software supply chain
The proliferation of open source has rendered the decentralized software development model an irreversible trend. Its dominance is particularly apparent in the cloud/server, mobile and IoT computing categories, where Linux and other open source software are heavily used. In fact, open source code elements pervade an estimated 90% of all software in development and use today.
Nonetheless, most businesses and consumers are unaware of the extent to which open source touches their lives on a daily basis. Be it search engines, smartphones, apps, the back office at public networks, or ATM and online banking systems, as well as an ever-growing group of client computing systems, the list is almost endless.
The various reasons for the rapid growth in open source adoption and use can be distilled into a single word: innovation. Thanks, in larger part, to open source, newer and previously unimagined computing systems and devices are destroying old industries and creating entirely new, fast-growth ones, while forcing others to adapt and be more efficient.
The transformative power of open source
Historically, software was created in proprietary stacks. Each systems company created operating systems and key applications from the ground up. In the context of immense internet proliferation and the limitations of this proprietary software production method, a new software development model became necessary and therefore inevitable.
GNU/Linux was able to fill this gap, truly reshaping software design and development. Rather than writing and updating proprietary, foundational code, various developers working at varying companies or on their own could use and enhance the basic software building blocks, thereby focusing the majority of their resources on higher stack-level innovations.
And, it worked.
Now, the open source community has taken the same principles of code building block collaboration and pushed it throughout the computing stack. As previously stated, this approach of cooperation led to massive innovation across computing industries — and the creation of many new ones.
The open source code recycling pitfall
Imagine a brilliant piece of code that a developer or team has created and shared with the open source community. The code is so great that it is employed in various types of applications that extend beyond its originally intended use. In fact, it is accepted as such a fundamental piece of code that it becomes a key building block in the standards of one or more industries.
It happens all the time. Within embedded Linux, these code elements have become fundamental to its use and success. You could say, without exaggeration, that entire groups of IoT manufacturers rely on these pieces of technology.
Now, imagine what happens when one of those brilliant pieces of code is found to have a vulnerability that could be exploited by hackers. This also happens with some regularity.
When vulnerabilities are discovered in key code elements, there are some important questions that need to be addressed:
- What potential ramifications does the vulnerability present?
- How prevalent is the vulnerability?
- Is there an easy fix?
The necessity of accurate software supply chain documentation for continued open source adoption
The open source community is very transparent — more so than its proprietary counterpart. It does an excellent job of publicizing the existence of security vulnerabilities and creating effective patches. In fact, the community is so good that security vulnerability-related issues pale in comparison to the value provided by open source’s inherent flexibility, scalability and innovation.
To verify that your IoT development team or third-party firmware provider is supplying you with software that is built with the latest, vulnerability-free version of open source components, it is important that it provides you with accurate software supply chain documentation. And you should double check the integrity of the documentation by performing an independent analysis. Today, the industry best practice is for the customer or their MSP partner to conduct a pure binary scan of the software they receive and to compare it with the documentation provided by the development team or third-party firmware supplier.
Open source has and will continue to change the way we communicate, work and entertain. It will reinvigorate existing businesses and create new industries and opportunities. Nevertheless, to ensure that embedded Linux retains its value and remains the dominant IoT platform, software development teams and third-party firmware suppliers must provide their customers with the most accurate software supply chain information.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.