How to deploy secure open source code for the cloud?


Today, most application developers incorporate code from open source development projects in order to reduce development time and improve overall code quality. This code can be part of an actual cloud suite, such as OpenStack, or support tools, ranging from compilers to storage managers and a variety of application modules.

But using the hundreds of available code repositories as sources – while trying to choose the most suitable open source code – is a complex task that can open the door for malware. Beyond the risk of pirated code, there is the question of the quality of the code. To ensure that you are using reliable and secure open source code, confirm that the code is well designed and documented, and that it has been tested rigorously for wide use.

The consensus of other users is often the best first guide to code quality issues. The open source community is pretty loud about the issues and will warn you about bad code. OpenStack code, for example, is very scrutinized and tightly controlled; all issues crop up quickly due to the large community of developers and users surrounding it. Other resources for finding out about code quality issues are Stack Exchange or Stack Overflow programmers.

The open source community is pretty loud about the issues and will warn you about bad code.

With malware, however, it’s different. Sometimes a problem can go dormant or go undetected for a long time. Ruby on Rails, a popular open source framework, had undetected vulnerabilities dating back six years, for example.

To make sure you’re deploying secure open source code, look under the hood. Use the most recognized and trusted repositories, such as OpenStack’s GitHub and Image Service, as the source. There are also app stores where signed code from trusted vendors is available, with the ability to verify signatures for the life of the code.

Next, find the commonly used code and avoid the urge to try another code just because it’s different. “Common use” means that many testers have executed this piece of code and it is likely to perform according to specification.

However, none of this would have caught Ruby on Rails issues. Follow the Open Web Application Security Project’s Application Vulnerability List for the initial information on issues with commonly used open source code.

Version management is also important to ensure secure open source code. Do not implement a new version of code in your cloud unless there is a consensus on its security. On the other hand, be sure to update the versions together to ensure that known security bugs are closed. A version manager will be useful for this.

The use of open source code has come a long way in recent years and is today a major development. It can help development teams implement new cloud apps faster and be as secure as the house code – with the right amount of care.


Comments are closed.