Commentary: These trying to find a single trigger for the Log4j vulnerability – whether or not it is open supply will not be safe, or open supply will not be sustainable – are getting it improper. It is a sophisticated subject.
Excuse me if I do not wish to hear your “sizzling take” on the Log4j vulnerability. By all means, give me the main points of what occurred, in addition to the way it’s impacting firms like mine. Even higher, give me perception into how I can take a look at my servers to see if I am protected.
Simply do not blare headlines like “Open supply may be [an] open door for hackers,” because the Monetary Occasions did. And do not use the issue to begin banging the drum of “open supply sustainability” crises. Open supply is not a safety downside, and open supply sustainability is an advanced subject. As a substitute, it is time to acknowledge, as Matt Klein, founder and maintainer of the Envoy open supply mission, has done, that “All we are able to do is settle for the fact of bugs/outages, do the very best that we are able to to mitigate, be taught, and enhance, and look ahead to the subsequent one.”
SEE: Patch administration coverage (TechRepublic Premium)
Making safety a course of
I do know, I do know! That does not make for thrilling studying. There isn’t any smoking gun. No intern responsible. It is simply…software program. And software program breaks, is buggy, and many others.
As Klein stressed,
I’ve prevented a sizzling tackle the log4j state of affairs as a result of frankly I am uninterested in tech sizzling takes. Nonetheless, my not sizzling take sizzling take is that bugs occur, a few of them very dangerous, they usually happen for a set of advanced causes. Complaining concerning the villain of the day ([open source] funding, reminiscence security, and many others.) is a crimson herring, and over-focusing on one trigger results in no actual enchancment. We’re all human and juggling a mountain of constraints; it is a miracle that tech works 1% in addition to it does.”
However…what about the truth that apparently the Log4j maintainers might not be paid to do this work? Which will or might not be true, nevertheless it’s additionally considerably immaterial, as Purple Hat’s Andrew Clay Shafer argued: “[P]aying [open source] maintainers absolutely aggressive software program salaries would have a negligible influence on stopping log4j like safety points.” On its face this sounds improper, however take into account his follow-up: “[H]ow a lot cash have banks spent on ‘safety’ since 2013? [W]hile operating log4j in prod the entire time? [H]ow many undiscovered exploits are in prod at your financial institution proper now?”
He has some extent. A great one.
Even essentially the most absolutely funded software program has bugs, safety holes, and many others. We will completely do higher, however no software program – open supply or proprietary – is immune from flaws. Certain, it’d make the maintainers really feel higher to be paid whereas they’re yelled at to “FIX THIS NOW!” however there are some (like Beka Valentine) who would argue that decreasing all open supply sustainability to a query of cash unwittingly takes away a few of its biggest energy: developer ardour.
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free PDF) (TechRepublic)
Certainly, on this level, Ruby on Rails founder David Heinemeier Hansson declared that “I will not allow you to pay me for my open supply.” Why? “Open supply, as seen by way of the altruistic lens of the MIT reward license, has the facility to interrupt us free from this overly rational cost-benefit evaluation bulls— that is impoverishing our lives in so many different methods.” In different phrases, he needs individuals to contribute if it provides them pleasure, and he would not wish to really feel beholden to do something with the mission that does not additionally carry him happiness. Introducing cash makes open supply widespread, in his view.
No matter whether or not you agree, and coming again to Shafer’s level, we can’t magically rid Log4j or any open supply (or proprietary) software program of bugs just by throwing cash at them. That is not the magic of open supply. No, safety is a course of in open supply, not one thing you get by licensing code beneath an open supply license. I tweeted in December 2020: “Not that open supply is inherently safer, however somewhat it is an inherently higher course of for securing code.”
By all means, let’s guarantee open supply contributors are paid (or not, following the reasoning of DHH and Valentine), however let’s not have fun our foolish sizzling takes that attempt to scale back the Log4j downside to 1 factor. Safety is sophisticated. Software program is sophisticated. However open supply, by making the software program and surrounding processes permeable, accessible, improves safety (or can), somewhat than degrading it.
Disclosure: I work for MongoDB, however the views expressed herein are mine.