AlexOakenman - Fotolia
Today, most app developers incorporate code from open source development projects as a way to reduce development time and improve overall code quality. This code can be part of an actual cloud suite, such as OpenStack, or support tools, ranging from compilers to storage managers and a variety of app modules.
But using the hundreds of available code repositories as sources -- while trying to pick the most appropriate open source code -- is a complex task that may open the door for malware. Beyond the risk of hacked code lies the question of code quality. To ensure you're using reliable and secure open source code, confirm that the code is well designed and documented, and that it was tested rigorously for wide use.
The consensus of other users is often the best first guide on code quality issues. The open source community is pretty vocal on issues, and will warn you away from poor code. OpenStack code, for example, is highly scrutinized and tightly controlled; any issues surface quickly because of the large developer and user community surrounding it. Other resources for discovering code quality issues are the Programmers Stack Exchange or Stack Overflow.
With malware, however, it's different. Sometimes a problem can lay dormant or undetected for a long time. Ruby on Rails, a popular open source framework, had undetected vulnerabilities going back six years, for example.
To make sure you deploy secure open source code, look under the hood. Use the most recognized and trusted repositories -- such as GitHub and OpenStack's Image Service -- as a source. There are also app stores where signed code from trusted vendors is available, with the ability to check signatures for the lifetime of the code.
Next, look for code that's commonly used and avoid the inclination to try other code simply because it's different. "Common use" means many testers have run that piece of code and it's likely to work to specification.
Chris Wysopal of Veracode discusses the risks of externally sourced code and monitoring its use. Find out steps you can take to manage open source code security.
None of this would have caught the Ruby on Rails issues, though. Track the Open Web Application Security Project's list of application vulnerabilities for early news of issues with commonly used open source code.
Version management is also important to ensure secure open source code. Don't implement a new code version into your cloud unless there is a consensus that it's safe. On the other hand, make sure to update versions together to ensure closure on known security bugs. A version manger will be useful for this.
Open source code use has come a long way in the last few years, and is a mainstay development today. It can help development teams implement new cloud apps more quickly, and be as safe as in-house code -- with the right amount of care.
Manage your cloud with these five open source tools
Evaluate the pros and cons of an open source model
Unsecure open source code impacts vendors
Dig Deeper on Open source cloud computing
Related Q&A from Jim O'Reilly
OpenStack Cinder has added a revert-to-snapshot function, enabling enterprises to recover from corrupted data sets. However, if the feature falls ... Continue Reading
Don't let backup data encryption fall through the cracks. When encrypting backups, key management and compression are just two of the best practices ... Continue Reading
While tape is notably offline and thus protected from cyberattacks, the cloud could comprehensively surpass it for backup if service providers figure... Continue Reading