Recently Exposed Security Flaws in Apache Are Serious, But Open Source Software Shouldn’t Be Blamed, Says Jason Walsh
Security breaches are certainly newsworthy events and you can expect to hear more about them as information technology becomes more integrated into all aspects of our lives.
So it’s no surprise that vulnerabilities in major software are big news, and the revelation in December that a bug in the Apache Java Log4j library was widely exploited was no exception. A report in the FinancialTimes worth dwelling on for a moment, saying that the “alarming” vulnerability (a fair description) “raises serious questions about open source software”. Is that the case ?
The concern with some of the recent Apache vulnerability reports is that it could undo two decades of hard work explaining to people outside the industry that making code freely available is a good idea. Not only does this allow developers to check code for problems (whether they do that or not is another matter), but it has huge economic and cultural benefits.
Think about it: without Linux, server software licenses would still be the norm and few of us would want to go back to the days of spending $250,000 on a Sun pizza box, no matter how fancy. MySQL, on the other hand, may not be as powerful as Oracle Database, but MySQL allows start-ups and even one-person businesses to be up and running in minutes.
Free and open source software is essential to almost everything today. Indeed, the “LAMP” combination of Linux, Apache, MySQL, and PHP alone powers much of the web as we know it. Want to manage a website? Chances are you’re using WordPress, which runs on Apache and MySQL, is programmed in PHP, and it all runs on Linux servers. Add other software provided by your host? It’s the same story.
Software engineer Jeffrey Roe said the real problem is that people have to work to get it right.
“That’s a broad generalization, but many open source projects are designed to get you up and running quickly. A lot of people don’t always set things up correctly,” he said.
Roe is also director of Dublin’s Tog hackerspace, a place where hobbyists can come together to learn and work on tech projects. This movement, which has spread across the world in recent decades, would be unimaginable without free software, precisely because many technology companies have worked hard to lock down both hardware and software in the hope of lock users.
Competencies are obviously the answer, or the course, but in addition to new methodologies that result in greater control over software projects, replacing giant blocks of projects with smaller chunks and clearly defined responsibilities, would go a long path.
It will take time, Roe said, but it is happening.
“The way the modern software stack is, we’re moving away from one person having full control [but] DevOps has not yet reached full maturity. It’s getting better, but it takes an organization of a certain size and with certain resources,” he said.