Harnessing open source innovation in the military with rock-solid securityStory
November 20, 2019
The U.S. military faces increasing pressure to innovate faster to stay ahead of the evolving threat landscape – but not so quickly as to compromise the security of mission-critical IT systems.
Open source software can help the U.S. military achieve its objectives by opening pathways to collaboration, growth, and the free exchange of ideas. Open source developers continually test the boundaries of what works and what doesn’t. Often, they “fail fast” and iterate, even as they work at an accelerated pace. The open source development community, even though it is globally dispersed, works closely together to facilitate continuous innovation.
This type of fast, agile, free-flowing environment understandably breeds security questions, particularly in the defense sector. Good security hygiene is usually associated with the words “slow” and “methodical,” neither of which are normally attributed to open source development.
But there are inherent misunderstandings surrounding open source and risk, and agencies do not need to choose between speed and security. Let’s explore how the military can get the best of both worlds – harnessing the benefits of open source software while attaining the integrity and security capabilities required for the battlefield.
Understanding the nuances of open source
To get the most out of open source software and technologies, it’s a good idea to first understand the dynamics of the development environment – and its implications for security.
Open source’s greatest strength is a faster reaction time to identified security challenges – anyone, after all, can submit a fix or patch to issues as they arise. However, it would be a mistake to think of any software as bulletproof.
Open source projects can take a significant amount of time and resources to maintain. When community attention is pulled in the direction of new releases and capabilities, the number of members maintaining the security of code at any given time can vary, impacting the ability to respond to new vulnerabilities. Therefore, the primary responsibility for open code security falls to whomever is embedding it.
For the military, assuming responsibility for the maintenance of mission-critical, open source-based systems and applications can be challenging because of the long lifespans of the systems involved and the sheer effort required. Unfortunately, support may not always be readily available. For example, personnel often believe that “somebody out there” can help them address security issues as they arise – when this may not be the case. Open source community members aren’t on call 24/7 and do not deliver service level agreements to users.
Effective, ongoing open source software maintenance requires a defense-in-depth approach involving deep knowledge of the latest patches and updates – knowledge that many IT professionals lack. Fortunately, external vendors can help. Many vendors are already on the front lines of open source projects, proactively innovating and strengthening their products in step with security developments. Crucially, external vendors can also provide support, taking on responsibility for the open source maintenance piece – thereby enabling military IT to focus on higher-level activities that directly support the mission.
Imperatives to enabling a strong open source security posture
To maintain the security posture of open source systems and applications, there are two primary imperatives that every military IT manager should consider.
The first must-do is to automate to reduce human error and make processes reproducible. The U.S. military is an institution rich in both tradition and innovation. Battles fought throughout the years have wrought improvements and adjustments to the ways that commanders and warfighters execute their mission objectives.
It’s much the same for military IT systems, which are typically modified and updated over time. However, unlike knowledge gleaned on the battlefield, a record of why IT changes were made may not have been captured. Even small changes can profoundly affect the integrity of a system, creating an enormous amount of technical debt that can make it difficult for managers to ascertain the integrity of their systems.
Having a clear understanding of everything that’s occurred or has changed within a system is critical to identifying potential vulnerabilities. Using open source software can enable the military to preserve records of system configurations to get a clear sense of changes that have been made to those systems. In addition, IT can automate application development processes to reduce technical debt and minimize the risk of human error, which is a leading cause of security breaches.
The second imperative: Make security intrinsic to application development. To many organizations, digital transformation means adding components onto infrastructure that already exists. This sometimes happens with security controls, which are often an afterthought when it comes to application and system development. Indeed, until recently, security wasn’t a core part of the DevOps process because developers and operations managers considered it a drain on innovation.
In a world where military weapons are increasingly vulnerable to hacks, this approach is unacceptable. Military IT must bake security capabilities directly into application development processes and make them a core component of their infrastructures.
We’re seeing this happen with the advent of DevSecOps. Security must now be regarded not simply as part of the development effort or an added-on component – it’s a shared responsibility that is proactively ingrained in all phases of development. From the whiteboard stage to final delivery, teams scan and test applications, addressing vulnerabilities at every phase of development and closing security loopholes before applications go into production.
Like DevOps, DevSecOps is about speed to production, with automation forming the engine that drives the process. As we’ve established, automation can be facilitated through the use of open source technologies, providing a winning combination of agility and security capabilities.
Adopting a mindset for success
It’s important to remember that attaining the security posture of open source projects isn’t a one-time event – it’s a never-ending process. For military IT personnel, that means keeping up to date with evolving internal and external security threats, continuously scanning for vulnerabilities, and implementing patches and updating software regularly.
Additionally, IT managers should remember that not all open source projects are created equal. Some deployments are smaller and easier to secure, while others are larger and more complex, potentially requiring different knowledge and skills. If open source is used for an operating system or virtualization hypervisor, for example, the security risks can be higher because of the vast surface area they cover.
Security and innovation are proven combination
Security and innovation are not mutually exclusive concepts. The U.S. Navy’s Compile to Combat initiative, for instance, is a great example of a defense agency using cutting-edge software in a herculean effort to get warships afloat faster and more securely than ever before. (See lead photo, above.)
All IT people, including those in military IT, must closely examine how a system or application could be exploited and where its vulnerabilities lie – not simply at the outset of a project, but for the lifespan of deployment. Such a proactive, security-first mindset can enable military IT organizations to get the most out of open source software and technologies.
Rich Lucente is a Principal Solutions Architect at Red Hat. His main area of focus is the application of open source emerging technologies to support the missions of the U.S. federal government and the systems integrators customers that serve them. He has a BS in computer engineering from The Pennsylvania State University and is an avid open source enthusiast who has contributed to multiple open source projects.