4 Themes From the Open Source Leadership Summit (OSLS)

This week we attended The Linux Foundation’s Open Source Leadership Summit (OSLS) in Sonoma. Over the past three decades infrastructure open source software (OSS) has evolved from Linux and the Apache web server to touching almost every component of the infrastructure stack. We see OSS’s widespread reach from MySQL and PostgreSQL for databases, OpenContrail and OpenDaylight for networking to Openstack and Kubernetes for cloud operating systems. Its increasing influence up and down the stack is best exemplified by the explosion of solutions included on the Cloud Native Landscape that Redpoint co-published with Amplify and the CNCF.

During the conference we heard four main themes: 1) OSS security, 2) serverless adoption, 3) public cloud vendors’ open source involvement, and 4) Kubernetes’ success.

The themes suggest that OSS is not only here to stay but growing in popularity. OSS has become a necessary but insufficient component of a next-generation cloud infrastructure software business. We are very bullish about the future of open source and will continue to invest in startups that offer cloud native OSS solutions and facilitate its secure adoption.

1. Securing OSS Is Imperative

Open source components comprise 80–90% of modern applications. An average application contains over 190 open source components. The popularity of Maven, GitHub, and npm demonstrate massive OSS adoption. Since GitHub’s founding in 2008, it has grown to about 2M MAU and over 24M accounts. NPM estimates that rolling 28-day downloads are over 12.5 billion.

OWASP has ranked using components with known vulnerabilities a top ten threat for over five years. With an infinite supply of OSS and heavy usage, businesses must address the challenges of leveraging open source: 1) components are not always secure and 2) interlocking dependencies between packages and libraries create risk. We repeatedly heard there needs to be improved quality, integrity, and security across the entire software supply chain.

The first stage of improving OSS security is making it an integral part of developing open source code. A 2017 Sonatype report suggested that 84% OSS projects don’t fix known security defects, 1 in 18 downloads contained at least one known security vulnerability, and for the projects that actively fix security vulnerabilities the mean time to remediation was 233 days. One step to help improve the quality and security of the OSS is to follow the Linux Foundation (LF) Core Infrastructure Initiative (CII) best practices like vulnerability and bug-reporting and fixing processes, basic good cryptographic practices, secured delivery against man-in-the-middle (MITM) attacks, static and dynamic code analysis, amongst others. Projects that meet the CII criteria receive a badge that identifies their efforts. During HackerOne CEO Marten Mickos’ keynote, he emphasized that security is a shared responsibility within OSS communities.

We also see the rise of bug bounty programs, in which individuals receive recognition and compensation for reporting and fixing software bugs. Large companies like Apple and Facebook have programs as well as third parties like HackerOne, Synack, or Bugcrowd. Mickos also stated that by leveraging white hat hackers to identify vulnerabilities, the community can help lower the total cost of leveraging open source.

For those using OSS they should embrace automated open source governance tools to continuously evaluate and monitor open source hygiene across the entire development lifecycle. It is important to do package analysis and vulnerability scanning to identify necessary patches. Offerings include Snyk, Source Clear, Gemnasium, Hakiri, OSSIndex, etc. Some companies have implemented an OSS firewall that automatically governs the components entering the software supply chain by quarantining software that violated defined security or licensing policy. Compared to manual approval of OSS components, automation not only improves security but accelerates software development.

Usually we think about the risks of utilizing open source software with vulnerabilities in more traditional applications. But imagine the broader risks with edge applications like autonomous systems such as vehicles, drones, or robots. In these environments security gaps aren’t only breaches but potentially fatalities. Embedding security best practices into the creation of the open source and the software supply chain is crucial.

2. Serverless Has Captivated the DevOps Community

As companies move to the public cloud and use managed services that are often originally open source (e.g. MySQL, PostgreSQL), engineering teams must add value further up the stack. Serverless platforms mirror this transition since they allow engineering teams to more quickly provision servers, reduce hardware risk, decrease cycle time, and increase scalability. During the conference, Subbu Allamaraju, VP of Technology at Expedia, noted that it was using AWS Lambda to decrease server overprovisioning to decrease costs. Cost savings are especially apparent for inconsistent workloads as Amazon Lambda bills by 100 millisecond increments compared to EC2’s per second billing. Attendees noted that while cost savings are a nice benefit the main value proposition is facilitating faster code development cycles. Expedia stated that the teams that use managed solutions were the ones able to experiment with Lambda and create greater value faster. Serverless technology increases developer productivity, accelerates innovation, expedites time to market, and improves business agility — the main concerns for businesses trying to stay competitive.

At OSLS, Redpoint and CNCF presented our cloud native serverless landscape that illuminates OSS is prolific within the Function-as-a-Service ecosystem. The landscape includes 57 offerings, of which 28 are open source (~49%). Within the library, tools, frameworks, and Kubernetes-native platform categories most of solutions are open source.

As serverless is inherently an event-driven architecture it is a natural fit for IoT uses. Over the past year we’ve seen larger vendors emphasize this use case with solutions like AWS Lambda@Edge, AWS Greengrass, Cloudflare Workers, etc. We think that serverless at the edge is a powerful value-proposition to improve application performance and user experience. To further accelerate adoption at the edge, OSS and startups can enhance database synchronization, service discovery, and operations/performance.

3. Public Cloud Vendors and OSS

Top of mind for many attendees was how public clouds like AWS, GCP, and Azure are building, engaging, and commercializing open source.

A talk from Amazon highlighted three main motivations for its OSS initiatives: 1) engagement and collaboration, 2) scaling services, and 3) seeding the market. Engagement is used to motivate partners and satisfy customers. For example, Amazon worked with Netflix, a large customer, on Spinnaker to strengthen the relationship.

Amazon highlighted it contributes upstream to Postgres, MySQL, and GraphQL to help scale managed services like AWS RDS, AWS Aurora, and AppSync. Google’s Chen Goldberg, Google Cloud’s director of engineering, mirrored this sentiment during her keynote, “For Google, open-source software is part of the strategy, it’s not a side-gig. From the start Kubernetes upstream was also investing in Google Compute Engine (GCE) and vice-versa.”

Finally, Amazon seeds the market with big data sets like 1000Genome and IRS 990 filings to catalyze customers to use other services that support ML data pipelines, training, and serving. Similarly, Microsoft Azure’s CTO Mark Russinovich stated that AI/ML has been enabled by 1) public cloud infrastructure, 2) GPU improvements, and 3) open source languages, libraries, and frameworks. His talk suggested that Microsoft contributes to open source Apache MXNET and ONNX as a mechanism to increase the number of compute and data-intensive ML pipelines that leverage Azure’s core services like compute and storage. This third motivation mirrors a Red Hat talk earlier in the day that underscored that vendors promote OSS to increase the sale of complementary goods. In Amazon’s case, it open sourced data sets to drag along its core computing and storage services.

Interestingly, Expedia noted that the public cloud’s managed services offerings are not eating open source. Expedia noted that managed services of OSS allow outsourcing of the undifferentiated heavy lifting. Engineering teams no longer need to spend weeks setting up environments. Now it takes minutes. This presents an opportunity for engineers to move up the value chain.

4. Congrats on Graduating from the CNCF Kubernetes!

On Tuesday, the CNCF announced Kubernetes was the first project to graduate from the CNCF. Kubernetes is used in production at companies like Uber, Bloomberg, Blackrock, BlaBlaCar, The New York Times, Lyft, and eBay. Going back to our point regarding OSS security, Kubernetes also had to earn (and maintain) a CII best practices badge.

We see Kubernetes as a higher-level abstraction that acts like a hybrid cloud operating system. The flexible plugin architecture allows additional functionality to be built on top like universal policy controllers, data management, service meshes, and security. We are excited about startups that are building Kubernetes-native solutions that facilitate running containers and functions in production.

In conclusion, Kubernetes’ success exemplifies the continued momentum of OSS projects in the cloud native space. With open source touching nearly every component of the stack from Docker images to serverless frameworks, software supply chain governance and security is becoming more important than ever. We believe open source is a key component of cloud infrastructures software companies and will continue to invest in startups that create value through OSS and advance its secure use.