Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%.
Open-source software is also growing by leaps and bounds. According to Gartner’s 2021 Hype Cycle for Open-Source Software (OSS): “Through 2025, more than 70% of enterprises will increase their IT spending on OSS, compared with their current IT spending. Plus, by 2025, software as a service (SaaS) will become the preferred consumption model for OSS due to its ability to deliver better operational simplicity, security, and scalability.”
Thinking of databases, the beef and potatoes of enterprise software, Gartner predicts that over 70% of new in-house applications will be developed on an open-source database. Simultaneously, 50% of existing proprietary relational database instances will have been converted or are being converted to open-source DBMSs.
I’ll buy those numbers. I’ve been following Linux and open-source software since day one. Everywhere I go and everyone I talk to acknowledges that the pair run the software universe.
But with great power also comes great responsibility as Spider-Man knows. And, as many developers recently found out when multiple security vulnerabilities with the Apache Java logging open-source library log4j2 were discovered, also comes great headaches.
The log4j2 problems are as bad as bad can get. By the National Vulnerability Database (NVD) scale, it’s rated as 10.0 CVSSv3 which is perfectly awful.
Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product,” points out constant vigilance is needed to secure all software.
That said, the real pain-in-the-rump with log4j is with how Java hides what libraries its source code and binaries