Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects

Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects

Summary: In the wake of the Heartbleed OpenSSL security disaster, The Linux Foundation has brought together both open-source supporters and companies better known for proprietary software to fund mission-critical open-source projects.

SHARE:
CII

When you think of companies that support open source, you think of Google, IBM, and Intel. You don't think of Cisco, Microsoft, and VMware. Things have changed.

The OpenSSL Heartbleed security hole, arguably open-source's biggest security breach ever, has made many major technology companies realize just how much they all depend on open source and that such vital projects as OpenSSL need adequate funding.

So it is that The Linux Foundation brought Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware together to form a new project to fund and support critical elements of the global technology: The Core Infrastructure Initiative (CII).

The purpose of CII is to enable technology companies to collaboratively identify mission-critical open-source projects that need funding. That done, the project will then receive the funds its developers need to continue their work under their existing open-source management.

OpenSSL will be the first project under consideration. In 2013, OpenSSL, which was at the heart of Web security for millions of companies and organizations, got by on a mere $9,000. In past years, OpenSSL has received an average of $2,000 per year in donations.

The CCI funding will pay key developers to devote their efforts to OpenSSL. It will also provide other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.

This multi-million dollar project will be administered by The Linux Foundation and a steering group composed of project backers as well as key open-source developers and other industry stakeholders. Support from the initiative will include funding fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.

"Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone's interest," said Eben Moglen, Columbia Law School professor and founding director of the Software Freedom Law Center, in a statement. "The Linux Foundation, and the companies joining this Initiative, are enabling these dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all. This is business and community collaboration in the public interest."

As Heartbleed showed, simply being open source doesn't guarantee that a project will avoid major mistakes. 

"We are expanding the work we already do for the Linux kernel to other projects that may need support,” said Jim Zemlin, executive director of The Linux Foundation. “Our global economy is built on top of many open-source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100 percent on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”

Historically, open source development methods have produced high quality and highly secure software. For instance, the most recent Coverity Open Scan software quality study showed that open-source code has fewer errors than proprietary code. But, as Heartbleed showed, simply being open source doesn't guarantee that a project will avoid major mistakes.

To make sure that vital open-source projects don't have to operate on a shoe-string, CII members will be making millions available to such programs. After all, as Colin Kincaid, Cisco's VP of Product Management and Architecture, said, "Supporting dedicated open source collaborators and contributors is vital to the success and growth of innovation."

Doug Beaver, Facebook's Engineering Director of Traffic & Edge, agreed: "Open-source software makes today's computing infrastructure possible. Facebook is excited to support these projects and the developers who maintain them. This initiative will help ensure that these core components of Internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale."

In particular, securing open source software is a critical issue even for Microsoft. “Security is an industry-wide concern requiring industry-wide collaboration," said Steve Lipner, Microsoft's partner director of software security. "The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services." 

It took a major security catastrophe, but now many of technology's biggest players, including proprietary software companies, have realized that open-source software has become such a vital part of the global technology base that it must be supported not just with lip-service but with cold hard cash. Hopefully, the result will be better quality and safer software for all.

Related Stories:

Topics: Enterprise Software, Open Source, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • +1

    It's a shame that "It took a major security catastrophe" to do this, but here we are.

    Consider that the POSSE Project in 2001 highlighted the importance of quality assurance of important open source software projects, including the OpenSSL and OpenSSH projects. More here:

    http://www.cis.upenn.edu/~dsl/POSSE/
    Rabid Howler Monkey
  • +1

    It's a shame that "It took a major security catastrophe" to do this, but here we are.

    Consider that the POSSE Project in 2001 highlighted the importance of quality assurance of important open source software projects, including the OpenSSL and OpenSSH projects. More here:

    http://www.cis.upenn.edu/~dsl/POSSE/
    Rabid Howler Monkey
  • Good to see companies giving back...

    All of the above companies (including VMware, Cisco, Google, Facebook, and yes, even Microsoft) have for years been enjoying benefits provided by open source projects, and some have only really given back where it suits them (VMware and Microsoft come to mind).

    It is interesting to see exactly how tight the funding is for projects like OpenSSL - $2000 doesn't even buy a month of a competent programmer's time, let alone a year. It is no wonder Heartbleed happened - You can only go so far with public-library internet and ramen noodles, even if you are completely dedicated to writing software!
    daftkey
    • you seem to be deluded for some reason...

      Most programmers working on open source are paid to work on open source by their employers.

      SOME programmers working on open source do so in their spare time. Sometimes with better equipment at home than their employers use.

      None that I know of use "public-library internet" for programming. Uploading and Downloading yes. But the normal restrictions on use prevent any "programming".

      And the programmer already apologized for a rather small mistake - which did have far reaching consequences, but small nevertheless.
      jessepollard
      • I wasn't painting all OSS programmers with that brush, Jesse...

        ..I was referring to the $2000/yr figure SJVN stated in his article that the OpenSSL foundation averages in donations. I don't know of many people who could afford their own dial-up internet on that kind of coin, let alone broadband.
        daftkey
        • Depends on where you look.

          That $2,000 doesn't include the hosting of the code... nor distribution... Those expenses are handled by other supports.

          The $2,000 also doesn't include the corporate support given to its own programmers that provide code to the project either.

          It also doesn't include the support that users give by reporting bug/wish lists for features, and those users are ALSO paid by their employers...

          There is a lot of barter negotiation going on that isn't included in a $2,000 donation.
          jessepollard
    • That's because companies

      like Google and Facebook, while benefiting heavily from the open source software, are too busy paying billions of dollars for questionable software, money that clearly could have been better spent on the OSS they rely on. I wonder how happy the SSL programmers are hearing about the $2 Billion going to Oculus Rift or all the development on self driving cars...
      happyharry_z
  • fixed it

    "[..] securing open source software is a critical issue even for Microsoft"

    s/be: "[..] securing open source software is a critical issue, especially for Microsoft"

    :)
    code_flogger
    • Remember, the Microsoft stack

      wasn't vulnerable, but all of the third party OSS crap that people think is so secure was. Microsoft recognizes that people will install insecure third party software, both proprietary and OSS on their computers/servers so they better get involved to make sure that they are getting input at the table.

      The tiny programming mistake while regrettable, should never have happened because all of those eyes are on the code...oh wait
      hoppmang
      • I take exception to the phrase "third party OSS crap"

        You make it sound as if Microsoft has never, ever, had a security issue with any of their software.

        Is that what you believe, as I am sure I can find an example or million to enlighten you.
        anothercanuck
      • That aspect of the MS-stack wasn't vulnerable

        But only a fool would think it wasn't vulnerable to other sorts of attacks.
        John L. Ries
      • Please stop

        Don't troll, don't feed the trolls.
        bmonsterman
  • Yoo hoo

    Conspicuous by their absence, Adobe and Oracle. Would that be related to the security history of Acrobat Reader and Java?
    cls8
    • cls@...: "Conspicuous by their absence, Adobe and Oracle."

      From Steven's link in the article to the Core Infrastructure Initiative:

      "We [The Linux Foundation] expect more [supporters] to follow suit in the coming weeks and months."

      Be patient, grasshopper. :)

      P.S. There are more notable companies missing from the early supporters than just Adobe and Oracle.
      Rabid Howler Monkey
  • Too little, too late?

    I am not sure that this problem can be solved simply by throwing money at it although that is probably part of the equation. If there are managerial problems within the OpenSSL team, then additional funds are not going to fix the problem. The Linux Foundation insists they are not going to attempt to oversee the developers receiving the funds. While I understand the need for that kind of guarantee, I also feel there is a need for some sort of third party independent auditing of the resulting code as well and some funds should be reserved for that function. If Linux Foundation is paying for the code, they should have some means of verifying the resulting product. Otherwise this whole thing can suddenly replay itself with the only difference being that it received outside funding in the process. Somebody outside the immediate developer group needs to be auditing the code, its called QA (quality assurance).
    George Mitchell
    • Let's also hope that The Linux Foundation will not be blind

      to important BSD projects such as OpenBSD, which includes both OpenSSH and LibreSSL, as well as FreeBSD.
      Rabid Howler Monkey
    • Who's doing the "third party independent auditing"

      of Microsoft code?

      I ask because every critical open-source project already does internal QA, but your post makes it sound like internal QA is not good enough, but as far as I know, no proprietory software company hires outside code auditors.
      Maybe you can update my knowledge.
      anothercanuck
      • Speaking of broad-brush painting...

        "Who's doing the "third party independent auditing" of Microsoft code?"

        For starters, plenty of large enterprise customers who have signed up for Microsoft's Shared Source Licensing Program:

        http://www.microsoft.com/en-us/sharedsource/enterprise-source-licensing-program.aspx

        There are also enterprise ISVs that have access to the source code for many Microsoft products for which they develop solutions. Because of the qualifications required to view the source, it is actually quite likely that Windows code is audited by a larger number of competent programmers than most open-source projects.

        Just because software is closed-source doesn't mean that the authors take that source code and lock it in a safe somewhere so nobody can see it - source-code sharing agreements are actually quite prevalent in all large commercial software companies. Third-party audits are just as possible with closed-source software as it is with open-source software.

        "I ask because every critical open-source project already does internal QA"

        Obviously, this either hasn't been the case with OpenSSL, or the internal QA that was done was incredibly ineffective. Or you don't consider OpenSSL to be a "critical open-source project". Feel free to choose whatever spin you want.

        Either way, something needs to be improved in that project, and I'm sure there are others that are pretty "critical" that could use a boost. The one thing that throwing money at the problem can do is at least help establish some structure and actual project oversight, which seems to be lacking this particular case.
        daftkey
        • So just one question:

          about your statement: "Obviously, this either hasn't been the case with OpenSSL, or the internal QA that was done was incredibly ineffective."

          But IE has had thousands of security holes and patches over the years. Shouldn't someone at Microsoft or one of the code sharing licensee's found and prevented those holes?

          So, why is it 1 issue with OpenSSL should mean the end of open-source, but thousands of issues with Microsoft software is just business as usual?
          anothercanuck
          • So does pretty much every complex program on the planet...

            "IE has had thousands of security holes and patches over the years. Shouldn't someone at Microsoft or one of the code sharing licensee's found and prevented those holes?"

            That would be nice, wouldn't it - of course, if you could name any complex software program that is completely bug free at the time of its release, I'd love to see it. I can certainly tell you, neither Firefox, nor Safari, nor Chrome, nor Opera are free of bugs, and likely all of them have security vulnerabilities that we don't know about.

            The main reason you know about most of those IE security holes is because someone *has* found them. And for at least the last half-decade or so, the first notice most people had of those security holes was in Microsoft's own security bulletins - after those holes had been found and fixed. So in essence, that is exactly what's happening now.

            "So, why is it 1 issue with OpenSSL should mean the end of open-source, but thousands of issues with Microsoft software is just business as usual?"

            For the same reason why one issue with a shoebomber on a plane means that everyone in North America has to take their shoes off at security checkpoints now and probably will for the foreseeable future. Some things are just that bad.

            In the case of the OpenSSL bug - the failure is so serious and flies in the face of so many open source vs. closed source myths that it really caused incredible damage to the open source philosophy:

            1) The flaw was made possible by the use of a library that many closed-source software companies have "banned" from their internal use. This leads to questions of leadership and project management.

            2) The flaw is incredibly simple - sure this allowed for a quick fix, but it also leads to the question of why something so simple was missed in the first place.

            "but thousands of issues with Microsoft software is just business as usual?"

            If by "business as usual" you mean "admitting the fact that no software is perfectly secure and there will always be issues, finding said issues, and fixing said issues," then yeah, it really is just business as usual for MS.

            See, Microsoft never tried to pass themselves off as somehow immune to these kind of security issues the way many open source advocates do. They acknowledge issues when they come up, and then they fix those issues. Microsoft doesn't point to open source projects and say "those guys suck - use our stuff because we're more secure than they are". They just make software and sell software.

            All the while, many open source advocates have been pointing to Microsoft as the example of what not to do and saying "we are better than those guys". A strategy that works quite well, as long as it is actually true. Now that it has been proven that such is not actually the case (and hasn't been for quite a long time now), Microsoft can continue doing what they've been doing, while many OSS advocates have to find some other strawman to burn.
            daftkey