Developers may be the new kingmakers, to quote Redmonk, but they’re not very careful about locking the gates. That’s the primary take-away from a slew of ransomware attacks against MongoDB, CouchDB, Elasticsearch, and Hadoop, as I’ve argued.
Some people, however, have learned the exact wrong lesson from this debacle. Exhibit A is David Ramel’s article wherein he suggests that open source is ultimately to blame for the attacks. This is wrong on so many levels, but let’s address just a few.
Open source does not equal open door
First, there’s this excerpt from the article:
Although these much-publicized attacks concerned only a few types of databases, they serve as a sobering reminder of the vulnerabilities in open source software, where it’s often incumbent upon users to secure the open source components they use in projects.
I’m not even sure this actually means anything, but if it means “users of open source software need to secure their software,” this is as true of proprietary software as it is of open source. Speaking of MongoDB, former MongoDB vice president Kelly Stirman has said, “There is no security issue with MongoDB–extensive security capabilities are included with MongoDB.” However, he then noted that some developers choose not to use those included security capabilities out of “convenience.”
MongoDB has more recently made tight security the default in the database–you have to proactively disable it. But even before, it’s hard to fault a database because the person operating it has chosen to not care about security. How is that the database’s fault?
Even if you think Hadoop or MongoDB or some other data infrastructure is weak on security, it’s not clear why this is suddenly an open source failing, rather than simply a matter of developers (or others) being unwilling to bother about security.
It’s your fault you’re popular
Maybe that’s open source’s fault for making software easy to access and use, but that seems like an inane accusation. Surprise! Someone is willing to make it.
Black Duck Software’s vice president of security strategy, Mike Pittenger, decreed 2017 would see a 20% increase in open source security vulnerabilities largely because…it’s popular (“Open source use is ubiquitous, and therefore offers a target-rich environment.”) Not only that, but “Open source vulnerabilities are publicly disclosed in the National Vulnerability Database (NVD).” To cap it off, he further argued that “The support model for open source is usually the opposite of commercial software.”
To Pittenger’s first point, he’s right. Open source is really, really popular. In fact, as Cloudera co-founder Mike Olson has insisted, “No dominant platform-level software infrastructure has emerged in the last ten years in closed-source, proprietary form.” Virtually all data infrastructure software of any significant adoption is open source.
Does this give hackers a ripe target? Well, according to Pittenger, they simply need to look up vulnerabilities in a central database and voila! Let the hacking begin.
Except…enterprises can also consult this same database and plug the holes. In this respect, open source is even more secure than proprietary software because the security holes are either well-known or are accessible. All software ships with bugs and other security holes. In the case of open source, the process for discovering them and fixing them is open. It’s unclear why Pittenger, or Ramel who quotes him, would find this problematic.
Finally, Pittenger argued that proprietary software comes baked in with support while open source software doesn’t. This is both true and false. Most open source software, and certainly the software exposed to recent ransomware attacks, can come with commercial support, though it’s true that it can also be downloaded for free and used without support. If enterprises choose not to buy commercial support for their critical open source software, how is this the fault of open source? It just means the enterprises are unwise.
All of which comes down to enterprise IT (or developers), not open source software. This isn’t even a “Guns don’t kill people; people do” sort of argument. There is nothing about open source software that is inherently insecure (or secure, for that matter). The process for discovering and fixing problems is arguably superior, but no amount of process or code matters if the people deploying the software simply elect not to secure their databases. That is not an open source problem–it’s a people problem.