Security the biggest challenge for open-source development, says Linux Foundation CTO

Any volunteers?

Security is one of the biggest challenges 'bugging' open source software - and open source projects need more people to uncover the bugs and to plug the holes in the code that holds together much of the internet.

That's according to Nicko van Someren, chief technology officer at the Linux Foundation, who said that vast swathes of the internet, not to mention companies with online business models, rely on open source code, software and infrastructure.

"Open source projects are the roads and bridges of the internet. Pretty much everything we do on the internet relies on open source," he said in a keynote speech at Cloud Expo in London.

"There are people out there running open source web frameworks on open source server frameworks, with open source SSL stacks on open source web servers, sitting in an open source container, running on an open source kernel in an open source hypervisor."

So, yeah, open source is a big deal. But Someren pointed out that Linux has a big hurdle to overcome in the form of security holes caused by casual coding and a lack of guidance, best practice and enough people to spot problems and fix flaws.

"We've really reached a golden age in open source. Or not. There's a problem that we've historically seen with open source projects which is about security. Security issues are not unique to open source, but it is a critical problem among open source projects," he said.

Someren acknowledged that the collaborative and community aspects of the open source world are great at developing new features and innovative tech ideas.

But there are problems with security that have led to major threats like Shellshock, Heartbleed and Poodle that put millions of internet users at risk.

Someren was careful not to blame open source enthusiasts, many of whom work on projects in their own time while holding down a full time job, but he warned that the security woes can be attributed to lots of people building on old and established code that could contain flaws that simply don't get spotted as no one is really looking at it anymore.

He also noted that lots of open source foundations have been built up over the years, and that patching can be a nightmare as it is difficult to tell what impact it will have down the line.

It's a bit like building a Jenga tower with other people and then some random person pulls out a block at the bottom that supports the whole structure.

But Someren highlighted the Core Infrastructure Initiative (CII), set up by the Linux Foundation to take a pre-emptive approach to security problems.

The CII is working with the open source community, and major tech firms like IBM, Google, Qualcomm and Facebook, to establish best practices, educate developers and provide tools to seek out and fix problems in rogue code before they get serious.

This may sound like pain to some casual developers, but IT bosses should listen to Someren's words as open source increasingly weaves its way into enterprise IT. They can also help by supporting and getting involved in the open source community.

"If you think your internet business can run without open source, you are sadly mistaken. We need the community to come together and help remediate some of these security problems and help keep those bridges and roads maintained," he said.

Someren makes a good point. Apple has open sourced the benchmark suite for its Swift programming language, and Microsoft has made Xamarin free and open source.

To hear more about security challenges, the threats they pose and how to combat them, sign up for Computing's Enterprise Security and Risk Management conference, taking place on 24 November. Places are free to qualifying IT professionals.