The first step in eliminating the roadblock to secure IT innovation is to re-examine some common security assumptions.
People assume that open source software development isn’t as well organized or controlled as proprietary software. Because of that assumption, IT decision makers tend to stay with slow-moving, traditional infrastructure suppliers, which limit their ability to adopt transformational technologies from the open source community.
Actually, open source code is the result of a sophisticated process of review, acceptance, or rejection. The open and distributed development process tends to result in code that is as thoroughly reviewed, if not more so, than proprietary software. Often, far greater numbers of people are reviewing and testing the software than is the case with proprietary code. This can lead to faster discovery and remediation of security vulnerabilities.
Coverity, a software testing house and provider of analytic tools, compared the code of more than 1,500 open source projects (including Apache Hadoop, NetBSD, Free BSD, LibreOffice, and the Linux kernel) to the proprietary code of customers such as Microsoft, SAP, and RSA.
In Coverity’s findings, the open source code bases had an overall defect density of 0.59 per 1,000 lines of code, compared to 0.72 for proprietary software. 3
Common thinking is that introducing virtualization technology increases the security risk of everything from the hosting servers to the applications running on virtual machines. However, a virtual environment is not inherently riskier than physical servers. It’s the underlying software—the hypervisor and operating system—that determines the security advantages or disadvantages of a virtual environment.
2 ways malware could be used to attack virtual systems:
When the hypervisor and underlying operating system share the same consistent, embedded security capabilities, it mitigates the risk of malware being able to attack other virtual machines or the server hardware. In fact, when implemented optimally, virtualization can actually reduce vulnerabilities by isolating virtual machines in a secure operating system environment.
Kernel-based Virtual Machine (KVM) is an open source hypervisor providing enterprise-class performance, scalability, and security. It is also one of the fastest-growing virtualization technologies, with 50% growth in deployments according to IDC.4
KVM offers built-in, hardened security with Security-Enhanced Linux (SELinux), originally developed in conjunction with the National Security Agency. SELinux is a security system with a powerful feature set that provides a mechanism for enforcing granular access control policies through the use of Linux Security Modules in the Linux kernel.
With the ability to dynamically deploy and move workloads between physical, virtual, and cloud resources, it is now necessary to account for scenarios where: a) the images being used contain vulnerabilities (possibly because they are out of date), and b) workloads are moved to zones or migrated to hosts lacking sufficient network and system layer protections (e.g., when a “secret” workload is moved to an “unclassified” system).
This requires having a secure infrastructure as the foundation, as well as security features capable of keeping up with changing environmental variables. When you have an infrastructure with consistent security implemented throughout the operating system, virtualization, and cloud layers, you can match the security capabilities to the dynamic movement of the workloads. In other words, if workloads move, security policies and enforcement move with them.
"By 2015, 60% of CIO security budgets for increasingly vulnerable legacy systems will be 30-40% too small to fund enterprise threat assessments while maintaining existing reactive security investments." --- IDC5
3. “Why Open Source Development is Getting More Secure,” Nick Heath, TechRepublic, June 3, 2014.
4. “Competition Among Open Source Projects Delivers Better Technology Faster,” Jim Zemlin, Linux.com, October 21, 2013.
5. IDC, IDC 2014 Predictions: CIO Agenda presentation, December 2013.