"Open source projects are like children; no two projects are exactly the same, with different communities, structures, governance and contributors," says Benjamin Henshall, Director, AppDev Solutions, APAC at Red Hat.
According to Henshall, open source, which is now the preferred model for consuming software will build the next generation IT systems. Speaking with Computerworld India, Henshall talks about how open source is the foundation for successful IoT deployment and how Red Hat is still the leader in this space.
What are the security challenges specific to open source?
There are many. In 2016, Red Hat fixed more than 1,300 vulnerabilities by releasing over 600 security advisories. It is important to note that critical issues are fixed within the day. One of the biggest concerns with respect to security in open source is that people will go and copy the code from 'upstream open source community', which does not have a certification or a security response team, and doesn't even package the code.
Users will often download this code, and run it on a critical system inviting several vulnerabilities like Heartbleed. Once affected, these users then try to fix it themselves without having the necessary skills to do that.
How can open source help in secure DevOps?
Open source is a prerequisite in this space as DevOps is all about speed, continuous integration and continuous deployment. Using proprietary software built in the 90s or early 00s are not designed for DevOps development and test release platforms. You might eventually get there, but you are going to get stuck.
Most organizations are trying to change two major things about how they use DevOps; their culture and process about how they do things in this space, and their architecture. Because they're using tools that are not designed for today's way of developing, testing and releasing software, i.e. the DevOps platform.
DevOps is all about agility, nimbleness and quick turnaround, with small packets of code being tested and released. This is where open source comes in as the fundamentals of open source lies on the small parts that come together with open APIs and interoperability to support the development delivery platform. Security frameworks need to be baked into the DevOps' framework, instead of adding it towards the end.
What are the standardization challenges when it comes to open source?
There are software standards, and open source is known to conform to those when selected by a few businesses for deploying in their operational scheme of things. They stand as checkpoints for selecting or rejecting a product. The need for standards is one of the reasons for Red Hat's immense success in the market. We standardized the OS and the middleware, so that SIs can come together and build certified, supported, reliable and trusted solutions around that.
However, there are 1.5 million open source projects out there, and there are community bodies in certain parts of these projects who start creating their own standards. There are many standard bodies that are bringing specifications according to which the open source community and vendors can build their solutions. Red Hat is deeply involved in these processes to help the enterprise and the upstream community so that we can enable innovation using open source. APIs are one of the processes of standardization.
One of the other challenges, in a positive way, is the presence of so many open source projects. Each open source project is like a child, with their own personality. It is very difficult to try and make sense to fit them together, and get a standard body with good governance, good representation of the community, and rules about how it's going to work.
Open source is really, really hard. At Red Hat, we constantly debate and discuss how to proceed, how to engage with the community, which standardization bodies to be a part of, how to collate these different projects together.
How will open source be the foundation element for IoT?
It is fallacious to suggest that the 10-12 odd IoT solutions out in the market are going to address 99 percent of use cases. IoT is an exceptionally broad, exciting and innovative industry for out-of-the-box as well as bespoke solutions. Software is the driving factor or the CNS that is going to support an IoT architecture.
Because much of open-source is built on the cloud, by the cloud and for the cloud, it has inherent excellent design and architecture for IoT by design. IoT apps need to be modular, incredibly lightweight, highly secure and scalable, with impeccable interface, sufficient connectivity options, and in essence, be cloud-native. And that's where open source can help, but only the certified, secure and well-managed kind.
Proprietary vendors are struggling to embrace these solutions because they have to completely re-engineer their software. IoT is essentially an application architecture solving a business problem, with three main aspects - the datacenter for all the number crunching, the gateway that collects data, and the end devices which generate the data.
What are the challenges unique to Indian open source customers?
India is a prolific user of open source. In fact, the Indian government has an open source policy that dictates that open source must be the first option while building all government and public sector IT projects.
However, a large part of the industry think that they can download bits and parts of open source code from the Internet, and roll their own software stack. There are all companies in different sectors, who are essentially not in the software business. This is also where the "innovator's dilemma" comes in, where IT leaders are constantly deciding where to invest in order to innovate.
Perceived as free, and easily downloadable, companies often think that they can roll their own software stack. As a result, these non-software companies become a part of the open source software distribution business themselves. This means that its IT team is now responsible for things like certification, security and bug fixing.
While a company like Red Hat could have taken care of all these issues, Indian companies choose to do it themselves and end up having to invest their own resources for them. Coupled with substandard documentation, lack of good governance and the absence of the necessary infrastructure, this cheaper option often proves to be costlier than the business savvy option of using open source to innovate.