Open source is definitely more secure than proprietary software, but you need right practices to ensure security of even the most secure systems. In this episode of TFiR: Mainframe Matters, Swapnil Bhartiya sits down with Joe Bostian, Chair of Open Mainframe Project’s Ambitus and Senior Technical Staff Member at IBM, to discuss open source security. He talks about some of the key challenges of securing open source and how the efforts in the mainframe community and Ambitus project are helping tackle these challenges. He shares his advice on how organizations can better secure their source code.
- Open source does not necessarily mean fully secure; it depends on the quality of the codebase and how you deploy and manage the software, whether it is proprietary or open source. There is no guarantee that code that was secure a year ago will still be secure now. Bostian feels that this is where the open-source community is strong since it is constantly evolving and sharing information.
- The speed at which patches are deployed is crucial to the security of an environment. Complex dependencies can be challenging to manage and need to be coordinated properly. Bostian discusses how regardless of background, people need to keep as current as is feasible from a technical standpoint to tackle today’s security risks.
- From a cultural aspect, practices such as DevSecOps, Shift Left, and Zero Trust are still very much a work in progress. Bostian feels that the Log4j vulnerability acted as a catalyst, spurring on a lot of work in the space. He explains what they are doing to enhance and enable users with their DevOps and pipelines to help them stay current.
- Bostian explains how the mainframe environment is educating users to keep the code base secure, saying that the Open Mainframe’s Ambitus project is creating sets of open-source software for DevOps purposes that may be beneficial to the community; they are supporting existing open-source projects that can enhance the security of the environment, and trying to find a home to those who have good ideas for DevOps, that enhance security too.
- One of the key metrics to how safe a codebase is how old the packages that you have on your system but some may have continued frequent updates whereas others are older but are still secure. Bostian explains the work being done in the Ambitus project to help with these efforts.
- Bostian shares his advice for how organizations can ensure that the open-source code base that you’re using in their services or products is safe. While there are many scanners out there, it is a best practice to apply several of them in a very organized way and ideally use ones that not only identify the problem but suggest resolutions.
This summary was written by Emily Nicholls.