Eyeballs Alone Are Not Enough For Open Source Security: Rob Hirschfeld, RackN

Guest: Rob Hirschfeld (LinkedIn, Twitter)
Company: RackN (Twitter)
Show: Let’s Talk

2021 has been a very interesting year because of not just the pandemic that disrupted many businesses and norms and created a new culture for future workforce but also the impact it had on open source. In this episode of Let’s Talk, I sat down with Rob Hirschfeld, CEO and Co-Founder of RackN, to talk about the changes we saw in the open source world in 2021.

Here are some key takeaways from this discussion:

Rob, if I ask you to reflect on 2021, what’s going on with open source? How are things changing? Are they getting better or worse?

“I think that people are looking at open source as not the answer to every problem, which is potentially the most healthy thing that we can have.”

So how has open source contributed to the emergence of new companies? It doesn’t take months or years to start a new tech company these days.

“I think that it is important to think of open source as a development model where you have communities helping do development. It’s also as much an ecosystem model where you build up an ecosystem.”

Major changes at one of the biggest open source communities like Kubernetes?

“I see a lot of places where people have a green light to build things in Kubernetes, or on top of Kubernetes, which is very healthy for an ecosystem. You can come to market as a Kubernetes product and not be questioned, which means that Kubernetes has reached a critical mass for how things are going.”

Do enough eyeballs make things secure?

“Even having users doesn’t. It’s eyeballs, but it’s also usage. And so we can’t make the assumption that just because something has a massive ecosystem and is widely used that it’s automatically more secure than something else.”

Looking at these security news related to open source, what can open source projects do for better security posture?

“None of that technology (open source) comes with the processes and practices that ensure that you can update, patch, deploy and fix. Those are things that are still on the users, they’re still on the operators. When we look at customers wanting to use open source technologies better, they need to be prepared to update, migrate, change, fix, adapt.”

Understanding open source is a software supply chain

“It’s a supply chain. This is the thing that I think we’ve been learning over and over again, is that you need to be aware of the supply chain of your business. And the software and the infrastructure is part of that supply chain.”

How do players like RackN make open source more consumable?

“What we do with an infrastructure pipeline is we put together a lot of pieces as a system and take a very systematic view of it. And that allows you to roll through changes. You become insulated from changes to HashiCorp or from Linux, or from IPMI or Redfish vendors, or hardware, software, or clouds.”

[expander_maker]

Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya, and welcome to another episode of TFiR: Let’s Talk. Today, we have with us, once again, Rob Hirschfield, CEO and co-founder of RackN. Today we are going to talk about open source. It’s the end of the year, so many things happened this year in the open source world, whether it’s license change, whether it’s community building, or security, there. So Rob, if I ask you, if you reflect on 2021, what’s going on with open source? How things are changing, things are getting better, things are getting worse. Talk about it.

Rob Hirschfeld: I think you need to include the Log4j challenge in this whole thing. I think that people are looking at opensource as not the answer to every problem, which is potentially the most healthy thing that we can have.

We started a couple years ago with this idea that opensource was going to solve every problem, and I’m guilty of this too. I’ve written very breathy blog posts saying, opensource and collaboration, and GitHub are the answer to every one of the society’s problems.

And I think that we are coming back with a measure of pragmatism in how opensource should be working. And we’re asking some real questions about how the opensource communities are governed, how the patches go, how the security is going, how these projects are being sustained. I think it’s a much more pragmatic state for opensource than it has been in the past.

Swapnil Bhartiya: When you said you were thinking opensource is going to solve problems. I think we have had this discussion earlier [inaudible 00:01:51] VMware as well, where sometime people do confuse opensource with a business model.

The fact is that it’s a collaboration model, it’s depending on the license you use, it can dictate who can collaborate or not with you. How you build business is totally different. It’s just like cooking, right? You can have your own, but how do you sell that pizza is a totally different thing. If you look at all the companies that evolved, if they had to write all the code by themselves, it would’ve taken them decades.

So opensource [inaudible 00:02:28] is getting started, then we talk about cloud, public cloud, private cloud that also helps with the infrastructure part we don’t have to build. So how has opensource contributed to emergence of new companies? It doesn’t take months or years to start a new tech company these days.

Rob Hirschfeld: There’s a whole set of interesting components with this, because Linux was major 30 year anniversary. We get to a point where some things we’re just taking for granted, but even Linux is showing challenges with what Red Hat did with Santos and converting it to streams and spinning out two new distros based on the Santos up-streams.

I think that it is important to think of opensource as a development model where you have communities helping do development. It’s also, and as much an ecosystem model where you build up an ecosystem.

We should include Hashicorp going public, and they’re putting the word opensource company quite a bit, the tools they build are open. Most of the tools they have are Hashicorp products, and they maintain control of that. It’s a very different model than you get with say CNCF with Kubernetes, where there’s a foundation model.

And we actually saw some companies in that model, Knative specifically go back into governance with the CNCF. So it’s sort of a muddy challenge here. There are places where you can get a very big market and create a lot of use by having an opensource project or product that you give away for free, and there’s also times when having a whole bunch of people collaborating around that project is the secret to its success.

It also can create some confusion. CNCF has reached a point with the landscape and with the number of companies, the number of projects, some of them single company projects that they incubate into CNCF that people are starting to get confused about what is a required project, what it takes to get into that incubation phase, is it necessary? What they need to pay attention to. And that’s a challenging perspective from a user’s model.

Swapnil Bhartiya: Let’s also talk about one of the biggest communities these days, I think after Linux community, the community that we talk a lot about these days is Kubernetes, and I recorded the show with somebody and they said that in 2022, Kubernetes more or less will become like what Linux used to, general applications Kubernetes will come to cloud native applications. So if we just look at Kubernetes ecosystem, the communities, any changes? What are you seeing there?

Rob Hirschfeld: I think that we are starting to look at the Kubernetes infrastructure system as complex, I see this a lot. And it’s also in some ways an automatic ticket at the moment. I see a lot of places where people have a green light to build things in Kubernetes, or on top of Kubernetes, which is very healthy for an ecosystem.

So you can come to market as a Kubernetes product and not be questioned, which means that Kubernetes has reached a critical mass for how things are going. The challenge is since there are no breaks at the moment in that model, we are going to start getting back into a point where companies start saying, wait a second, just because you’ve done it in Kubernetes doesn’t make it a good thing, or I know how to sustain it or manage it or things like that.

And so I think that we’re getting into the lifecycle where not everything built on Kubernetes should automatically be considered good, and that is I think, a healthy part of how these things go. I also think that we’re seeing, and I see this quite a bit. We’re still struggling with how to operate Kubernetes.

Amazon at re:Invent introduced I think two different ways that they also will auto scale and manage Kubernetes that are different than what other people in the industry are working on. And the challenge with that just means that it’s not settled.

I see a couple of big distros that people use, and they don’t necessarily have good answers to long term operations. And the idea of just trusting the cloud providers to manage it for you, which is where thing things ended in 2001, is causing a little bit more angst when you start looking at say, Amazon having a day long outage.

And so we need to really think through the usability and manageability of these platforms, and how we’re going to sustain them. And this is where I would bring in Log4j. Some people felt really betrayed by the opensource aspects of Log4j.

This is a critical vulnerability that’s been in the source code for years, and that was not supposed to happen with opensource, according to some. Actually software has vulnerabilities, they get discovered, it doesn’t matter how many eyeballs you have, we are still going to discover vulnerabilities in software.

But I think the thing that I see that we forget about in opensource is that just because you’re using opensource, you still have the responsibility for maintaining your version of it, keeping it up-to-date, patching it, watching it. That’s not an opensource specific thing, that’s a software thing. It’s a hardware thing.

And so I do think that we get distracted by opensource solving my problems and not thinking through, I still have to be responsible for the operations of this and patching it, and running it, and doing all these things. And so that’s part of what people forget they own even when they’re using opensource.

Swapnil Bhartiya: I’ll talk about of course opensource does make it easy to find box and because the code is there, anybody can see, and there’s also agreement, just known as Linus’s law that given enough eyeballs, all bugs are shallow. But the fact is that it doesn’t matter how many eyeballs you have, what matters is where you are looking.

If you only look where you expect something to be going wrong, just because code is opensource does not mean it is secure. We all know that there is nothing like… But the fact is we need to build in subsystems, Linux Foundation, they have done a lot of work. The Linux community, they have a lot of process in place, but the problem that is happening is some of these opensource projects, just having eyeballs does not make it secure.

Rob Hirschfeld: Even having users doesn’t. It’s eyeballs, but it’s also use. And so we can’t make the assumption that just because something has a massive ecosystem and is widely used that it’s automatically more secure than something else.

And this to me is just the illusion that we’re operating under. This year pierced the veil in a couple of different ways, because it also pierced the veil on the idea that Amazon is better at operating software than you are.

They are, we know that, but they are operating software in a much more complex environment than you are. So some of their expertise is used up by the fact that they’re doing it. But going back to opensource, that Log4j problem really pierced to the veil because the idea that just it’s a widely used library that’s in code that’s got a lot of eyeballs on it, and it still is going to have a vulnerability.

And we should all know that just because we fixed this one vulnerability and patch it, it’s not going to protect us from the next one. There’s another one.

Swapnil Bhartiya: If I ask you from your perspective, since you also deal with paying customers from open source angle, what should opensource communities do so that it’s not exclusive to projects like Linux who do take a lot of work. There should be some set of best practices, and best practice is very bad word actually in reality. But so to ensure that those opensource projects, they do have some mechanism in place so that this doesn’t happen if we hear about it every year.

Rob Hirschfeld: Opensource is amazing, and we rely, and our customers rely heavily on opensource technologies at a very deep level in the stack. And that’s good. That’s the way it should be, and that’s part of what our ecosystem has been.

None of that technology comes with the processes and practices that ensure that you can update, patch, deploy and fix. Those are things that are still on the users, they’re still on the operators. When we look at customers wanting to use opensource technologies better, they need to be prepared to update, migrate, change, fix, adapt.

As an example, and this is really critical, opensource communities evolve and change. So we have a lot of customers who are using Santos and are concerned about the Santos streams migration, and have been looking to fall back to a Debian based distro or look at Rocky or Alma or one of the Santos alternatives.

Okay, it’s not a fast migration. They have machines that are already deployed, they have to change their tooling. They have to do a lot of work to do that migration. That is not a defect of opensource, it’s a feature of opensource.

And the challenge is if you want to use those technologies, you have to have invested in ways that you’re going to actually improve, and change, and respond into those systems.

And so this is the biggest thing for us and what we see our customers, the good ones understand that they have to adapt. They have to be able to accommodate the changes that are going to get thrown at them by using opensource and make informed decisions.

And in some cases rely on a vendor to cushion that, in some cases where they’re choosing not to do it, they’re going to come back to somebody like us, like RackN and say, we need the process support. The infrastructure is code, the infrastructure of pipelines to neutralize the changes that have to go about.

And that’s important in any software and infrastructure, it’s even more important with opensource where there is a higher rate of churn by design.

Swapnil Bhartiya: The way I look at it, the opensource day one problem, where you can get started with things, for day two, either you have your in-house resources, which you may need a lot, or you have to go with a vendor. There’s no other way because you will end up… It’s more or less like building a business of selling potato juice, but opensource ends with a farm. Somebody grew the potatoes, now it’s up to you to haul the truck to your store, cut the potatoes. It’s no different than it gives you the raw ingredients.

Rob Hirschfeld: It’s a supply chain. This is the thing that I think we’ve been learning over and over again, is that you need to be aware of the supply chain of your business. And the software and the infrastructure is part of that supply chain.

You can’t just outsource it to somebody else and assume everything’s good. You have to have a degree of responsibility for that. Either by being able to switch vendors, or adapt to variation from that vendor, or you have to take responsibility if you’re going to a vendor and they let you down, and they disrupt your business. You need to make deliberate supply chain choices all the way down to your Java libraries.

Swapnil Bhartiya: And I think that’s where players like RackN play a very critical role where companies can get to use whatever opensource technology they want to use, but you also can enable them by being a vendor of one throat to choke, make things easier for them.

They can focus on adding business value, whereas you focus on keeping their stack. And so that’s why I know the whole ecosystem where you folks play a very critical role in opensource. It’s not about opensource, it’s not about code.

Rob Hirschfeld: This is exactly right. What we do with an infrastructure pipeline is we put together a lot of pieces as a system and take a very system view of it. And that allows you to roll through changes. You become insulated from changes to Hashicorp or from Linux, or from IPMI or Redfish vendors, or hardware, software, or clouds.

That degree of, we’re not taking those out of the picture. They’re good tools individually, what we’re doing is reducing the impact of any one of those components changing or having to change. And you’re right, that’s exactly how people need to adapt to opensource technology and be flexible and ready for the winds to change.

Swapnil Bhartiya: Rob, thank you so much for taking time out today and talk about, of course how opensource is evolving. It is evolving, that is the effect. And as usual, I’d love to see you back on the show next year maybe, thank you.

[/expander_maker]

You may also like

Alcion Is Betting On AI-Driven Data Protection | Niraj Tolia

Google Launches Gemini, Its ‘Most Capable’ AI Model

Solving Cloud Security Problems Efficiently With Tamnoon | Marina Segal

Nexusflow Launches New Open-Source Generative AI Model With Function-Calling Capability

LF Energy Adds Five New Open Source Technical Projects

At KubeCon, Akamai Talks About Pushing Cloud Native Into Edge Native