Open Source software continues to infect everything...

Posted on: October 25, 2020 - 12:56 By: carl

Colour me gobsmacked. I've not heard anything like that since Microsoft's "Linux is a cancer" days nearly 20 years ago but no, here I am at a presentation by a security specialist and there it is writ large on the screen... well we can't let that go unchallenged can we :-)

So after a bit of a conversation with the speaker it turns out that the main concern they had was web development in general and the increasing use of the node.js framework in particular. Node.js and its package manager, NPM, allows for rapid deployment of multiple libraries which may have different licensing requirements and levels of security oversight depending on which project is managing the code... so is there a challenge in this space? Of course there is... but its not unique to Open Source. 

In fact it is the same business problem that has always existed. It is the business that decides what software they are going to use and it is the therefore the responsibility of the business to ensure that they comply with any and all license requirement that the software is released under... And that is the same for any software, not just software released under an Open Source license. If you as a business want the leverage the vast wealth of intellect and knowledge available to you via node.js to get your product to market in a timely and efficient manner then you as a business are responsible for ensuring that the licenses are complied with and that any security issues are dealt with... just like you do with proprietary software.

The nice thing about Open Source security issues is that if you detect them yourself you can fix it yourself because you already have all these developers cutting code for your business anyway... and that fix can go back into the pool. In addition to that some of the larger projects, especially those that have some sort of foundational backing (OpenJS in the case of node.js), will have tooling and methods for notifying and delivering fixes for security and licensing issues a-la npm audit for node.js.

Can all this be complex and daunting? Of course it can but there is always help at hand and you just need to keep a rational mind and follow some basic guidelines mentioned earlier just like you do for pretty much everything else in life.