the cost of “free” - open source strategy forum · 11/6/2017 · the cost of “free” ... no...
TRANSCRIPT
N O V E M B E R 6 , 2 0 1 7
C O N F I D E N T I A L
The Cost of “Free”Managing Risk in an Open Source World
Joe McCann, CEO NodeSource Inc.
© 2017 NodeSource2
We’re the Node.js company.
C O N F I D E N T I A L© 2017 NodeSource3
C O N F I D E N T I A L© 2017 NodeSource4
“Open Source is like a free puppy. It's great at first, but then you have to take care of it.”
© 2017 NodeSource C O N F I D E N T I A L5
Free Puppy Task List
• Feed
• Walk
• Train
• Groom
© 2017 NodeSource C O N F I D E N T I A L6
Open Source Task List
• Secure
• Support
• Educate
• Trust, but verify
© 2017 NodeSource C O N F I D E N T I A L
Benefits of Open Source
7
© 2017 NodeSource C O N F I D E N T I A L8
Security
• Broad and continuous peer review
• Infinite eyes > total number of eyes in your company
• Patches come faster from open source than closed-source proprietary vendors
© 2017 NodeSource C O N F I D E N T I A L9
Attract and Retain Talent
• Skills are transferrable
• Large pool of talent available with skills verified by open source activity
• Overwhelming degree of innovation in open source projects favors creative thinkers
© 2017 NodeSource C O N F I D E N T I A L10
Cost Savings
• Per-seat license fee drops to $0 with open source
• No vendor lock-In
• Reduced total cost of ownership
© 2017 NodeSource C O N F I D E N T I A L11
Example
Adjusted to today’s software development costs, building the
Fedora 9 Linux distribution would require a budget of $10.8 Billion.
© 2017 NodeSource C O N F I D E N T I A L12
Accelerate Time to Market
• Many users. No license restrictions on who can use the software
• Many uses. No license restrictions on source code modifications or use cases
• OSS is extremely well-suited to rapid prototyping and experimentation
© 2017 NodeSource C O N F I D E N T I A L13
SaaS is a new way of delivering software.
Open Source is a new way of delivering infrastructure.
© 2017 NodeSource C O N F I D E N T I A L
Risks
14
© 2017 NodeSource C O N F I D E N T I A L15
Risks Around Open Source
• Brand/Reputation
• Operations
• Personally Identifiable Information (PII)
• Compliance
• Revenue
© 2017 NodeSource C O N F I D E N T I A L16
Heartbleed The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
More than 2/3 of all web servers on Earth were vulnerable.
© 2017 NodeSource C O N F I D E N T I A L17
left-pad In March 2016, npm attracted national press attention after a package called left-pad, which was depended upon by many popular JavaScript packages, was unpublished as the result of a dispute. Although the package was re-published 3 hours later, it caused widespread disruption and broke countless builds around the world.
© 2017 NodeSource C O N F I D E N T I A L18
Hidden/Embedded Risk Electron is an open source framework based on Chromium and Node.js. However, there is a massive security risk here that is hidden from most users. Google Chrome, also based on Chromium, receives auto-updates for new features and security patches, but, Electron apps do not. Therefore, many of the security vulnerabilities still exist in Electron apps today due to Electron running older versions of Chromium.
© 2017 NodeSource C O N F I D E N T I A L19
MongoDB On May 22, 2017, Coinbase, experienced a massive spike in user traffic as a result of volatile price swings in Bitcoin and Ethereum. Failure to upgrade their current production MongoDB instances ultimately triggered the downtime. Coinbase engineers are not MongoDB experts, and the operational risk associated with open source infrastructure reared its head on the day where they needed the expertise the most.
"...in consultation with MongoDB experts we decided to move forward..."
C O N F I D E N T I A L© 2017 NodeSource20
Request traffic on Coinbase's primary load balancer (incident highlighted).
© 2017 NodeSource C O N F I D E N T I A L21
Equifax On September 7, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers.
Equifax said the breach was facilitated using a flaw in Apache Struts. A patch for the vulnerability was released on March 7, yet the company failed to apply the security updates before the attack occurred two months later.
C O N F I D E N T I A L© 2017 NodeSource22
B E F O R E B R E A C H :
$ 1 6 B M A R K E T C A P
O N E W E E K A F T E R B R E A C H :
$ 1 1 B M A R K E T C A P
C O N F I D E N T I A L© 2017 NodeSource23
$250,000 Vendor Support Contract
$5 Billion in Shareholder Value
to save
© 2017 NodeSource C O N F I D E N T I A L
Best Practices
24
© 2017 NodeSource C O N F I D E N T I A L25
Enterprise-Grade Vendor Support
C O N F I D E N T I A L© 2017 NodeSource26
“The use of any software without appropriate maintenance and support presents an information assurance risk. Before approving the
use of software (including OSS), system/program managers, and ultimately Designated Approving Authorities (DAAs), must ensure that the plan for
software support (e.g., commercial or Government program office support) is adequate for mission need. ”
United States Department of DefenseClarifying Guidance Regarding Open Source Software (OSS)
© 2017 NodeSource C O N F I D E N T I A L27
Best-in-Class Tooling
C O N F I D E N T I A L© 2017 NodeSource28
“You can run the open source version in production...but should you?”
© 2017 NodeSource29
N|Solid Runtime Certified Modules Dedicated SupportThe secure, reliable way to take advantage of the massive ecosystem of Node.js packages.
Establish and sustain enterprise-grade Node.js development and operations.
A fully-compatible Node.js runtime enhanced to address the needs of the enterprise.
NodeSource is the Node.js company.Run Node.js securely and confidently in production with the product suite trusted by innovative Fortune 500 companies.
© 2017 NodeSource C O N F I D E N T I A L30
The superior Node.js runtime
© 2017 NodeSource31
Feature Node.js N|Solid
Language Uniformity ✓ ✓
Fast, Efficient, and Highly Scalable ✓ ✓
Collaborative Package Management ✓ ✓
Officially Supported Runtime ✓ ✓
Enhanced Security Capabilities 𐄂 ✓
Process Monitoring and Analysis in Production at Scale 𐄂 ✓
Node-Specific Metrics (20) 𐄂 ✓
Turnkey and Standardized Debugging 𐄂 ✓
24x7x365 Technical Support 𐄂 ✓
Advanced Node-Specific Metrics (50+) with StatsD Integration 𐄂 ✓
Enhanced Notification System (Slack, PagerDuty, Webhooks) 𐄂 ✓
Event Loop Delay Alerting 𐄂 ✓
Process Cluster Analysis 𐄂 ✓
Adjustable Resource Usage Time-Scales 𐄂 ✓
Built-In Heap Snapshot Diffs 𐄂 ✓
N|Solid: More than just Node.js
© 2017 NodeSource C O N F I D E N T I A L32
Bringing trust to untrusted third-party JavaScript
© 2017 NodeSource
Feature NPM NCM
550,000+ JS Packages Available ✓ ✓
Immutable Package Registry ✓ ✓
Collaborative Workflow ✓ ✓
Command Line Interface ✓ ✓
Enhanced Security Scanning 𐄂 ✓
Curation of Packages 𐄂 ✓
Trust Score for All packages 𐄂 ✓
All-Inclusive Feature Set (No Need for Add-Ons) 𐄂 ✓
24x7x365 Technical Support 𐄂 ✓
Highly Available and Resilient Private Registry 𐄂 ✓
Automatic Dependency Recertification on Updates 𐄂 ✓
Software License Compliance (OSS and Proprietary) 𐄂 ✓
Application-Specific Package Scoring 𐄂 ✓
Application-Specific Package Bundle Hosting 𐄂 ✓
Test Coverage Checks for All Packages 𐄂 ✓
Cryptographically Signed Packages 𐄂 ✓
NodeSource Certified Modules: More than just NPM
© 2017 NodeSource C O N F I D E N T I A L34
Expect Shadow IT
© 2017 NodeSource C O N F I D E N T I A L35
Institute an Adequate Disclosure Policy
C O N F I D E N T I A L© 2017 NodeSource36
https://securitytxt.org
© 2017 NodeSource C O N F I D E N T I A L37
Reduce Proprietary Tech Footprint
Increase Open Standards Adoption
© 2017 NodeSource C O N F I D E N T I A L38
vs.
