Thales Blog

Why The Cybersecurity Industry Should Care About Open Source Maintenance

November 13, 2017

In June of this year, Thales eSecurity joined the Core Infrastructure Initiative (CII), a project both founded and managed by The Linux Foundation, with the aim of collaboratively enhancing and strengthening the security and resilience of critical Open Source projects. Many of the world’s largest technology companies already belong to the CII, with Thales being officially recognised as the first global security firm to join the initiative.

So why are we supporting this project? Why pay for free software? Put simply, we owe it to ourselves, and we owe it to the world, to ensure that the software that forms the foundation of our Connected World is as secure and well maintained as possible.

Practically all major companies make use of Open Source Software in some way, weaving it into the fabric of our digital lives. This enables very rapid product development and innovation but it also comes with a bit of a problem. With so much riding on a few critical pieces of software, the impact of a bug can be quite severe.

We all remember Heartbleed, right? We’re in danger of hitting the software equivalent of a genetic monoculture and with industrial IoT round the corner, that’s a pretty scary prospect. In essence, every time OpenSSL sneezes, everyone catches a cold.

Until now, we have lacked a good way to really encourage, marshal contributions and maintain these programs efficiently. Sure, the big names like Linux core have a lot of support and are improving all the time, but what about all those other projects? With the stakes higher than ever before, the CII’s raison d'être is rooted in ensuring that the Open Source code underpinning businesses today remains robust and well maintained, with a cybersecurity mission at its heart.

The CII proactively seeks and solves cybersecurity issues in a wide range of Linux Foundation projects, not only maintaining code and fixing bugs, but also running a ‘badge’ programme to help the software community identify the components that follow established best practice. Joining the project allows Thales and the other members to have influence over the priorities and practices of this critically important work.

Personally (and this is truly a personal opinion) I believe in a moral imperative to give back when you receive something for free. And it certainly sits uneasy when a commercial company suffers a data breach and then blames it on flaws in software that was built on other people’s efforts.

Altruistic philosophy aside, the CII makes sense for selfish reasons too. By supporting this project, the Linux Foundation is able to set some of the world’s best software cybersecurity experts on track to deal with the problem of maintaining core infrastructure, and, in turn, giving the results back to all of us.

Even if we were to pay our own staff individually to update and patch the code, we could never do as good a job alone. As with so many security aspects of the digital transformation era, we truly are better together.