Tag Archives: artificial intelligence

$34B Red Hat Acquisition Is a Bolt Out of Big Blue | Deals


The cloud computing landscape may look much different to enterprise users following the announcement earlier this week of IBM’s agreement to acquire Red Hat.

IBM plans to purchase Red Hat, a major provider of open source cloud software, for US$34 billion. IBM will acquire all of the issued and outstanding common shares of Red Hat for $190 per share in cash, under terms of the deal. That stock purchase represents a total enterprise value of approximately $34 billion.

Once the acquisition is finalized, Red Hat will join IBM’s Hybrid Cloud team as a distinct unit, preserving the independence and neutrality of Red Hat’s open source development heritage and commitment, current product portfolio, and go-to-market strategy, plus its unique development culture.

Red Hat president and CEO Jim Whitehurst will continue in his leadership role, as will the other members of Red Hat’s current management team. Whitehurst also will join IBM’s senior management team, reporting to CEO Ginni Rometty. IBM intends to maintain Red Hat’s headquarters, facilities, brands and practices.

Following the acquisition, IBM will remain committed to Red Hat’s open governance, open source contributions, and participation in the open source community and development model.

IBM also will foster Red Hat’s widespread developer ecosystem. In addition, both companies will remain committed to the continued freedom of open source via such efforts as Patent Promise, GPL Cooperation Commitment, the Open Invention Network and the LOT Network.

The acquisition was a smart business move for both IBM and Red Hat, said Charles King, principal analyst at Pund-IT.

“It seems possible or likely that other vendors would be interested in purchasing Red Hat,” he told the E-Commerce Times. “By making a deal happen, IBM is bringing in-house a raft of technologies, solutions and assets that are both familiar and highly complementary to its own solutions.

Partnerships and Financial Oversight

Both IBM and Red Hat will continue to build and enhance Red Hat partnerships. These include the IBM Cloud and other major cloud providers such as Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba. At the same time, Red Hat will benefit from IBM’s hybrid cloud and enterprise IT scale in helping expand its open source technology portfolio to businesses globally.

Partnerships between the two companies span 20 years. IBM served as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers.

These innovations have become core technologies within IBM’s $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization, the companies noted.

“For Red Hat, IBM is an ideal partner to help the company scale its business to the next level. Really, no other vendor comes close to having IBM’s reach into and credibility among global enterprises,” said King.

IBM intends to close the transaction through a combination of cash and debt in the latter half of next year. The acquisition has been approved by the boards of directors of both IBM and Red Hat.

The deal is subject to Red Hat shareholder approval. It also is subject to regulatory approvals and other customary closing conditions.

IBM plans to suspend its share repurchase program in 2020 and 2021. The company expects to accelerate its revenue growth, gross margin and free cash flow within 12 months of closing.

Moving Forward

“The acquisition of Red Hat is a game-changer. It changes everything about the cloud market,” said IBM’s Rometty.

Most companies only progressed 20 percent along their cloud journey, renting compute power to cut costs, she said. The next chapter in cloud usage — the next 80 percent — involves unlocking real business value and driving growth.

“It requires shifting business applications to hybrid cloud, extracting more data and optimizing every part of the business, from supply chains to sales,” Rometty pointed out.

Eighty percent of business workloads have yet to move to the cloud, according to IBM. Instead, they are held back by the proprietary nature of today’s cloud market. This prevents portability of data and applications across multiple clouds, data security in a multicloud environment, and consistent cloud management.

IBM and Red Hat plan to position the company to address this issue and accelerate hybrid multicloud adoption. Post-acquisition business will focus on helping clients create cloud-native business applications faster.

That will result in driving greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. IBM and the absorbed Red Hat division will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multicloud management and automation.

Business Imperative

Red Hat/IBM is the second-largest computer software deal ever recorded globally, according to
Mergermarket data. In terms of computer software mergers and acquisitions in the U.S. alone, the sector already has hit a record high value of $138.3 billion this year, having surpassed all previous full years on record.

IBM/Red Hat accounts for nearly a quarter of total U.S. software deal value in the year to date. Red Hat is IBM’s largest transaction ever.

“IBM has been in need for some time of catching up with other tech giants, such as Amazon and Microsoft, in making a sizable investment like this in the cloud,” noted Elizabeth Lim, senior analyst at Mergermarket.

“It makes sense that IBM would pay such a large amount for a company like Red Hat, to try to outbid any potential competition,” she told the E-Commerce Times.

The deal with Red Hat marks a transition for the company toward hybrid cloud computing, after years of seeking growth with mixed results. For example, IBM made big bets on its artificial intelligence system Watson, but its traditional IT business has shrunk, Lim said.

“It is clear that CEO Ginni Rometty intends, with this deal, to try to propel IBM back into the ranks of the industry’s top players after falling behind in recent years, and that the company also felt the need to acquire outside tech instead of spending years trying to develop it in-house,” she explained.

The question now is how successfully IBM will integrate Red Hat, said Lim.

Smart Business

The acquisition comes as a surprise, but it is a smart move that makes a lot of sense, said Tim Beerman, CTO of
Ensono.

IBM has been a big supporter of open source and the Linux operating system, so Red Hat’s open source software portfolio, supported by value-added “paid” solutions, is the perfect investment, he told the E-Commerce Times.

“It is a big win for IBM, Red Hat and their customers. IBM gets to modernize its software services by adopting Red Hat’s technology,” Beerman noted.

“Red Hat gains IBM’s financial backing and the ability to scale its capabilities and offer a hybrid IT approach, and its customers receive the ability to go to market faster with the assurance their providers have the investment they need to excel in a hypercompetitive market,” he explained.

This acquisition reinforces the concept that open source tools are part of the answer to hybrid cloud solutions, added Beerman. IBM’s investment will allow the companies to increase their security profiles in open source systems.

Over the years, IBM’s technology portfolio, particularly on the software side, has dried up or been sold off, according to Todd Matters, chief architect at
RackWare. IBM really needs some of its own technology in their portfolio, so the Red Hat acquisition makes a lot of sense in those terms.

“Red Hat brings a long list of very good software products. Linux — and Red Hat in particular — has been able to purvey to the enterprise very successfully, and that is the sort of thing that IBM needs for its typical customer portfolio,” Matters told the E-Commerce Times.

IBM had little choice but to acquire Red Hat, observed Craig Rosenberg, chief analyst at research and advisory firm
Topo.

The deal is a “huge move for IBM and the industry,” he told the E-Commerce Times.

“In the multicloud market where AWS, Google and Microsoft have a clear head start, IBM had to make a move or risk being left behind. By acquiring Red Hat — and more specifically OpenShift — IBM becomes a major player, with a compelling developer-centric, open source offering and business model,” Rosenberg explained.

Deal Ramifications

With the Red Hat acquisition, IBM will get the industry’s premiere enterprise Linux distro and its most dynamic container platform, along with myriad other valuable assets, noted King. For Red Hat, the acquisition cements an alliance with one of its oldest strategic partners.

“IBM has also been among the industry’s staunchest and most generous supporters of open source projects and initiatives. Frankly, it is hard to think of similar deals that would have been as beneficial for both IBM and Red Hat,” said Pund-IT’s King.

That rosy view is not supported but some other onlookers, however.

IBM has committed to pay a huge price for the agile growth company, but it is far from a sure bet that the deal will transform IBM into a nimbler player, according to Jay Srivatsa, CEO of
Future Wealth.

“It paves the way for Amazon, Microsoft and Google to get stronger. IBM is counting on open source to cement the company’s credibility as a cloud player, but the train has left the station,” Srivasta told the E-Commerce Times.

“The risk of Red Hat simply becoming as irrelevant as IBM has in the cloud computing space is greater than the probability of IBM/RedHat becoming a leading player in this space,” he added.

One big stumbling block, according to Pete Sena, CEO of
Digital Surgeons, is the risky business of integrating Red Hat’s culture adequately. IBM has not matched Red Hat’s stewardship of open source.

“If IBM does not integrate the cultures effectively, Red hat employees may want to take their money and run,” Sena told the E-Commerce Times.

However, if IBM can deal with Red Hat’s proven successful open source format, the potential upside is nearly guaranteed, he noted.

“If you are a salesperson at either company, once this integration is rolled up together, then you have the ability to sell across various business units. The business implications point to IBM and Red Hat now having a ton of connected offerings,” Sena said.

Cloud Competition Impacted

Red Hat’s OpenShift container platform is being used or supported by virtually every major cloud vendor, noted King, and it’s likely those partnerships will persist.

“In fact, IBM emphasized that the deal would not disrupt any Red Hat customers,” he said, “but it is likely that the acquisition could spur interest in other container technologies by cloud companies.”

At the end of the day, though, mass defections are unlikely. It behooves service providers to support the technologies their customers prefer. For hybrid cloud customers, OpenShift is at or near the top of that list, according to King.

Because Red Hat will maintain its independence through the early part of the transition, it’s likely that things will remain relatively the same with respect to the e-commerce space relative, at least in the short-term, suggested Jonathan Poston, director of technical SEO at
Tombras Group.

“My guess is that IBM’s motive in the first place was less about controlling market supply and raising prices by buying out smaller, more competitive alternatives,” he told the E-Commerce Times, “and mostly about injecting vigor into a product inventory to extend the average life cycle through a classic strategic innovation acquisitions approach. An altruistic perspective, I know — but again, at least for the short-term, I suspect this will be the case.”

Open Source Reactionaries

The sudden unexpected announcement will no doubt produce some minor objections from the ranks of Red Hat workers. However, open source today is more commercial and institutionalized than it was even five years ago, so major turmoil over the business decision will not occur.

“Overall, I do not expect the deal to have any significant impact on open source culturally or as a practice,” said King. “IBM is too experienced and invested in open source to allow that to happen.”

However, the deal could spur interest in Red Hat’s competitors, like Suse and Canonical, as well as alternative container solutions, he suggested, and even might lead to other acquisitions in those areas.


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Shuttleworth on Ubuntu 18.04: Multicloud Is the New Normal | Software


By Jack M. Germain

Apr 29, 2018 5:00 AM PT

Canonical last week released the
Ubuntu 18.04 LTS platform for desktop, server, cloud and Internet of Things use. Its debut followed a two-year development phase that led to innovations in cloud solutions for enterprises, as well as smoother integrations with private and public cloud services, and new tools for container and virtual machine operations.

The latest release drives new efficiencies in computing and focuses on the big surge in artificial intelligence and machine learning, said Canonical CEO Mark Shuttleworth in a global conference call.

Ubuntu has been a platform for innovation over the last decade, he noted. The latest release reflects that innovation and comes on the heels of extraordinary enterprise adoption on the public cloud.

The IT industry has undergone some fundamental shifts since the last Ubuntu upgrade, with digital disruption and containerization changing the way organizations think about next-generation infrastructures. Canonical is at the forefront of this transformation, providing the platform for enabling change across the public and private cloud ecosystem, desktop and containers, Shuttleworth said.

“Multicloud operations are the new normal,” he remarked. “Boot time and performance-optimized images of Ubuntu 18.04 LTS on every major public cloud make it the fastest and most-efficient OS for cloud computing, especially for storage and compute-intensive tasks like machine learning,” he added.

Ubuntu 18.04 comes as a unified computing platform. Having an identical platform from workstation to edge and cloud accelerates global deployments and operations. Ubuntu 18.04 LTS features a default GNOME desktop. Other desktop environments are KDE, MATE and Budgie.

Diversified Features

The latest technologies under the Ubuntu 18.04 hood are focused on real-time optimizations and an expanded Snapcraft ecosystem to replace traditional software delivery via package management tools.

For instance, the biggest innovations in Ubuntu 18.04 are related to enhancements to cloud computing, Kubernetes integration, and Ubuntu as an IoT control platform. Features that make the new Ubuntu a platform for artificial intelligence and machine learning also are prominent.

The Canonical distribution of Kubernetes (CDK) runs on public clouds, VMware, OpenStack and bare metal. It delivers the latest upstream version, currently Kubernetes 1.10. It also supports upgrades to future versions of Kubernetes, expansion of the Kubernetes cluster on demand, and integration with optional components for storage, networking and monitoring.

As a platform for AI and ML, CDK supports GPU acceleration of workloads using the Nvidia DevicePlugin. Further, complex GPGPU workloads like Kubeflow work on CDK. That performance reflects joint efforts with Google to accelerate ML in the enterprise, providing a portable way to develop and deploy ML applications at scale. Applications built and tested with Kubeflow and CDK are perfectly transportable to Google Cloud, according to Shuttleworth.

Developers can use the new Ubuntu to create applications on their workstations, test them on private bare-metal Kubernetes with CDK, and run them across vast data sets on Google’s GKE, said Stephan Fabel, director of product management at Canonical. The resulting models and inference engines can be delivered to Ubuntu devices at the edge of the network, creating an ideal pipeline for machine learning from the workstation to rack, to cloud and device.

Snappy Improvements

The latest Ubuntu release allows desktop users to receive rapid delivery of the latest applications updates. Besides having access to typical desktop applications, software devs and enterprise IT teams can benefit from the acceleration of snaps, deployed across the desktop to the cloud.

Snaps have become a popular way to get apps on Linux. More than 3,000 snaps have been published, and millions have been installed, including official releases from Spotify, Skype, Slack and Firefox,

Snaps are fully integrated into Ubuntu GNOME 18.04 LTS and KDE Neon. Publishers deliver updates directly, and security is maintained with enhanced kernel isolation and system service mediation.

Snaps work on desktops, devices and cloud virtual machines, as well as bare-metal servers, allowing a consistent delivery mechanism for applications and frameworks.

Workstations, Cloud and IoT

Nvidia GPGPU hardware acceleration is integrated in Ubuntu 18.04 LTS cloud images and Canonical’s OpenStack and Kubernetes distributions for on-premises bare metal operations. Ubuntu 18.04 supports Kubeflow and other ML and AI workflows.

Kubeflow, the Google approach to TensorFlow on Kubernetes, is integrated into Canonical Kubernetes along with a range of CI/CD tools, and aligned with Google GKE for on-premises and on-cloud AI development.

“Having an OS that is tuned for advanced workloads such as AI and ML is critical to a high-velocity team,” said David Aronchick, product manager for Cloud AI at Google. “With the release of Ubuntu 18.04 LTS and Canonical’s collaborations to the Kubeflow project, Canonical has provided both a familiar and highly performant operating system that works everywhere.”

Software engineers and data scientists can use tools they already know, such as Ubuntu, Kubernetes and Kubeflow, and greatly accelerate their ability to deliver value for their customers, whether on-premises or in the cloud, he added.

Multiple Cloud Focus

Canonical has seen a significant adoption of Ubuntu in the cloud, apparently because it offers an alternative, said Canonical’s Fabel.

Typically, customers ask Canonical to deploy Open Stack and Kubernetes together. That is a pattern emerging as a common operational framework, he said. “Our focus is delivering Kubernetes across multiple clouds. We do that in alignment with Microsoft Azure service.”

Better Economics

Economically, Canonical sees Kubernetes as a commodity, so the company built it into Ubuntu’s support package for the enterprise. It is not an extra, according to Fabel.

“That lines up perfectly with the business model we see the public clouds adopting, where Kubernetes is a free service on top of the VM that you are paying for,” he said.

The plan is not to offer overly complex models based on old-school economic models, Fabel added, as that is not what developers really want.

“Our focus is on the most effective delivery of the new commodity infrastructure,” he noted.

Private Cloud Alternative to VMware

Canonical OpenStack delivers private cloud with significant savings over VMware and provides a modern, developer-friendly API, according to Canonical. It also has built-in support for NFV and GPGPUs. The Canonical OpenStack offering has become a reference cloud for digital transformation workloads.

Today, Ubuntu is at the heart of the world’s largest OpenStack clouds, both public and private, in key sectors such as finance, media, retail and telecommunications, Shuttleworth noted.

Other Highlights

Among Ubuntu 18.04’s benefits:

  • Containers for legacy workloads with LXD 3.0 — LXD 3.0 enables “lift-and-shift” of legacy workloads into containers for performance and density, an essential part of the enterprise container strategy.

    LXD provides “machine containers” that behave like virtual machines in that they contain a full and mutable Linux guest operating system, in this case, Ubuntu. Customers using unsupported or end-of-life Linux environments that have not received fixes for critical issues like Meltdown and Spectre can lift and shift those workloads into LXD on Ubuntu 18.04 LTS with all the latest kernel security fixes.

  • Ultrafast Ubuntu on a Windows desktop — New Hyper-V optimized images developed in collaboration with Microsoft enhance the virtual machine experience of Ubuntu in Windows.
  • Minimal desktop install — The new minimal desktop install provides only the core desktop and browser for those looking to save disk space and customize machines with their specific apps or requirements. In corporate environments, the minimal desktop serves as a base for custom desktop images, reducing the security cross-section of the platform.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Android P Tackles Phone Addiction, Distraction | Operating Systems


Google on Tuesday revealed some major new features in the next version of its Android operating system for mobile devices.

Now in public beta, the OS known as “Android P” includes features designed to address growing concerns about phone addiction and distraction.

For example, a dashboard will show users how often, when and for how long they use each application on their phone. What’s more, they can set time limits on usage.

With the help of artificial intelligence, Android P also will watch how a user handles notifications. If notifications from an app constantly are swiped away, Android P will recommend notifications be turned off for that program.

“Do Not Disturb” mode has been beefed up in Android P. Users will be able to set the mode so there are no visual cues at all on a display of notifications, not even in the notification drawer.

The mode can be activated simply by placing the phone face down on a flat surface. If a phone is set up to separate work from personal apps, it can be configured to mute all apps at once with a single toggle.

Moreover, there’s a “wind down” feature that will take the phone into Do Not Disturb mode at a bedtime set by the user.

Fighting Addiction

The new application dashboard and notification muting features target a growing social concern about smartphones.

“Google is making the product far more user-friendly and directly addressing at least some of the problems associated with smartphone addiction,” said Rob Enderle, principal analyst at the Enderle Group.

That strikes a contrast with Android’s chief competitor, iOS.

“Apple is more focused on ensuring privacy and doesn’t seem to be as aggressively addressing the addiction problem,” Enderle told TechNewsWorld.

It remains to be seen whether users will take advantage of the tools.

“Folks should care more about this — but, like any addiction, they likely feel they can deal with this one without help,” Enderle remarked.

The success of the features will depend on Google, noted Gerrit Schneemann, senior analyst at IHS Markit Technology.

“I firmly believe that many smartphone users do not use all the features of their phone to their full potential,” he told TechNewsWorld. “It seems like that could be the case here.”

“If Google focuses on things like ‘wind down’ to expose users to the capabilities, I think there could be traction,” Schneemann said. “However, depending on users to discover the dashboard alone will be problematic on a broad scale.”

More Than Well Being

In addition to the new “digital well-being” features, Android P will provide a new way to navigate phones.

There’s the familiar home button, but with modified behavior. With new gestures, a user swipes up to get an overview of open apps, and swipes up further to go to the app tray.

The back button is still there, but it only appears inside apps.

Google has added screenshot editing to Android P, allowing users to mark up screenshots without having to use another app.

Google also has injected smarts into app searching in Android P. When a search is performed, things that can be done with an app appear along with its icon. So if you search for a ride-sharing app, for example, the results might include a button to hail a ride.

The Android P team partnered with
DeepMind on a new Adaptive Battery feature that optimizes app usage, noted Dave Burke, VP of engineering for Android.

“Adaptive Battery uses machine learning to prioritize access to system resources for the apps the user cares about most,” he wrote in an online post. “It puts running apps into groups with different restrictions using four new ‘App Standby buckets’ ranging from ‘active’ to ‘rare.’ Apps will change buckets over time, and apps not in the ‘active’ bucket will have restrictions in: jobs, alarms, network and high-priority Firebase Cloud Messages.”

Android P Adaptive Battery

Personal Touch

Android P shows Google wants to make the OS more personal and relevant for individuals, noted Brian Blau, a research director at Gartner.

“There’s a lot of new features in Android, but they all center on how can Google users have a more holistic and personal interaction with technology,” he told TechNewsWorld.

With Android P, Google is making a pitch to use less technology, Blau maintained.

“They’re saying you don’t need technology at every last pinpoint in every day of your life,” he continued. “Maybe you need more effective technology with fewer interactions. With Android P, Google is taking away the rough edges. That, over time, means what you will see is an Android that caters much more to the individual.”

From a feature and user interface perspective, Android P is one of the more significant rollouts for the OS in a while, noted Ross Rubin, principal analyst at Reticle Research.

“They’re also letting the beta run on more third-party phones,” he told TechNewsWorld. “In the past, betas only ran on a Nexus or Pixel device.”

Those third-party phones include the Essential Phone, Sony’s Xperia XZ2, Xiaomi’s Mi Mix 2S, Nokia’s 7 Plus, Vivo’s X21, Oppo’s R15 Pro and the soon-to-be-released OnePlus 6.


John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.





Source link

Open Source Is Everywhere and So Are Vulnerabilities, Says Black Duck Report | Enterprise


By Jack M. Germain

May 15, 2018 5:00 AM PT

Black Duck by Synopsys on Tuesday released the 2018 Open Source Security and Risk Analysis report, which details new concerns about software vulnerabilities amid a surge in the use of open source components in both proprietary and open source software.

Open Source Is Everywhere and So Are Vulnerabilities, Says Black Duck Report

The report provides an in-depth look at the state of open source security, license compliance and code-quality risk in commercial software. That view shows consistent growth over the last year, with the Internet of Things and other spaces showing similar problems.

This is the first report Black Duck has issued since Synopsys acquired it late last year. The Synopsys Center for Open Source Research & Innovation conducted the research and examined findings from anonymized data drawn from more than 1,100 commercial code bases audited in 2017.

The report comes on the heels of heightened alarm regarding open source security management following the major data breach at Equifax last year. It includes insights and recommendations to help organizations’ security, risk, legal, development and M&A teams better understand the open source security and license risk landscape.

The goal is to improve the application risk management processes that companies put into practice.

Industries represented in the report include the automotive, big data (predominantly artificial intelligence and business intelligence), cybersecurity, enterprise software, financial services, healthcare, Internet of Things, manufacturing and mobile app markets.

“The two big takeaways we’ve seen in this year’s report are that the actual license compliance side of things is improving, but organizations still have a long way to go on the open source security side of things,” said Tim Mackey, open source technology evangelist at Black Duck by Synopsys.

Gaining Some Ground

Organizations have begun to recognize that compliance with an open source license and the obligations associated with it really do factor into governance of their IT departments, Mackey told LinuxInsider, and it is very heartening to see that.

“We are seeing the benefit that the ecosystem gets in consuming an open source component that is matured and well vetted,” he said.

One surprising finding in this year’s report is that the security side of the equation has not improved, according to Mackey.

“The license part of the equation is starting to be better understood by organizations, but they still have not dealt with the number of vulnerabilities within the software they use,” he said.

Structural Concerns

Open source is neither more nor less secure than custom code, based on the report. However, there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.

Open source has become ubiquitous in both commercial and internal applications. That heavy adoption provides attackers with a target-rich environment when vulnerabilities are disclosed, the researchers noted.

Vulnerabilities and exploits are regularly disclosed through sources like the National Vulnerability Database, mailing lists and project home pages. Open source can enter code bases through a variety of ways — not only through third-party vendors and external development teams, but also through in-house developers.

Commercial software automatically pushes updates to users. Open source has a pull support model. Users must keep track of vulnerabilities, fixes and updates for the open source system they use.

If an organization is not aware of all the open source it has in use, it cannot defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk, according to the report.

Changing Stride

Asking whether open source software is safe or reliable is a bit like asking whether an RFC or IEEE standard is safe or reliable, remarked Roman Shaposhnik, vice president of product & strategy at
Zededa.

“That is exactly what open source projects are today. They are de facto standardization processes for the software industry,” he told LinuxInsider.

A key question to ask is whether open source projects make it safe to consume what they are producing, incorporating them into fully integrated products, Shaposhnik suggested.

That question gets a twofold answer, he said. The projects have to maintain strict IP provenance and license governance to make sure that downstream consumers are not subject to frivolous lawsuits or unexpected licensing gotchas.

Further, projects have to maintain a strict security disclosure and response protocol that is well understood, and that it is easy for downstream consumers to participate in a safe and reliable fashion.

Better Management Needed

Given the continuing growth in the use of open source code in proprietary and community-developed software, more effective management strategies are needed on the enterprise level, said Shaposhnik.

Overall, the Black Duck report is super useful, he remarked. Software users have a collective responsibility to educate the industry and general public on how the mechanics of open source collaboration actually play out, and the importance of understanding the possible ramifications correctly now.

“This is as important as understanding supply chain management for key enterprises,” he said.

Report Highlights

More than 4,800 open source vulnerabilities were reported in 2017. The number of open source vulnerabilities per code base grew by 134 percent.

On average, the Black Duck On-Demand audits identified 257 open source components per code base last year. Altogether, the number of open source components found per code base grew by about 75 percent between the 2017 and 2018 reports.

The audits found open source components in 96 percent of the applications scanned, a percentage similar to last year’s report. This shows the ongoing dramatic growth in open source use.

The average percentage of open source in the code bases of the applications scanned grew from 36 percent last year to 57 percent this year. This suggests that a large number of applications now contain much more open source than proprietary code.

Pervasive Presence

Open source use is pervasive across every industry vertical. Some open source components have become so important to developers that those components now are found in a significant share of applications.

The Black Duck audit data shows open source components make up between 11 percent and 77 percent of commercial applications across a variety of industries.

For instance, Bootstrap — an open source toolkit for developing with HTML, CSS and JavaScript — was present in 40 percent of all applications scanned. jQuery closely followed with a presence in 36 percent of applications.

Other components common across industries was Lodash, a JavaScript library that provides utility functions for programming tasks. Lodash appeared as the most common open source component used in applications employed by such industries as healthcare, IoT, Internet, marketing, e-commerce and telecommunications, according to the report.

Other Findings

Eighty-five percent of the audited code bases had either license conflicts or unknown licenses, the researchers found. GNU General Public License conflicts were found in 44 percent of audited code bases.

There are about 2,500 known open source licenses governing open source components. Many of these licenses have varying levels of restrictions and obligations. Failure to comply with open source licenses can put businesses at significant risk of litigation and compromise of intellectual property.

On average, vulnerabilities identified in the audits were disclosed nearly six years ago, the report notes.

Those responsible for remediation typically take longer to remediate, if they remediate at all. This allows a growing number of vulnerabilities to accumulate in code bases.

Of the IoT applications scanned, an average of 77 percent of the code base was comprised of open source components, with an average of 677 vulnerabilities per application.

The average percentage of code base that was open source was 57 percent versus 36 percent last year. Many applications now contain more open source than proprietary code.

Takeaway and Recommendations

As open source usage grows, so does the risk, OSSRA researchers found. More than 80 percent of all cyberattacks happened at the application level.

That risk comes from organizations lacking the proper tools to recognize the open source components in their internal and public-facing applications. Nearly 5,000 open source vulnerabilities were discovered in 2017, contributing to nearly 40,000 vulnerabilities since the year 2000.

No one technique finds every vulnerability, noted the researchers. Static analysis is essential for detecting security bugs in proprietary code. Dynamic analysis is needed for detecting vulnerabilities stemming from application behavior and configuration issues in running applications.

Organizations also need to employ the use of software composition analysis, they recommended. With the addition of SCA, organizations more effectively can detect vulnerabilities in open source components as they manage whatever license compliance their use of open source may require.


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link