Four Questions For: Tod Beardsley

Why do you believe it is important to have open source security software? Wouldn’t that make it easier for hackers to crack the code?
Yes, and this is a good thing! Open source is especially important for core security functions precisely because everyone can take a look at how the security is actually implemented. Hackers, researchers, academics, tinkerers — when everyone can see how security works, everyone wins. People can learn from both good implementations and bad, vulnerabilities can be discovered and disclosed before and while bad actors are exploiting them, and ultimately, open source can help promote a clear, concise, maintainable code base.
What are some easy security protections for companies to implement, especially companies that have never dipped their toes in any kind of security investment?
Companies who are new to the software distribution game should look to assembling, rather than inventing, their own software. Using standard libraries and frameworks can solve many “old” and “easy” computer security problems before they come up. While there are occasional cross-library vulnerabilities, the path of writing one’s own control software opens up a Pandora’s Box of unsanitized input and buffer overflows. Modern application frameworks tend to do a pretty good job at helping developers avoid 99 out of 100 “gotchas” in secure design.
With ransomware crime on the rise, how can everyday citizens protect themselves against being “held hostage?”
The security industry, as well as regular IT industry, has been advocating reliable backups for decades in the context of sudden and unpredictable disaster. A silver lining to the ransomware threat is that it helps promote the idea of backups in the face of malicious, rather than merely accidental, disaster. My hope is that ransomware is the emotional kick that people need to actually take backups and distributed data storage seriously.
What do you predict will be the next major issues in cybersecurity? What industries or devices are particularly vulnerable?
Distributed, malicious computing using a network of popular but insecure IoT devices seems practically inevitable; in particular, the massive install base of small office / home office (SOHO) routers. The problem with a router-hosted botnet is that these devices often don’t have a reasonable patch pipeline, so such infections can last a long time — potentially much longer than standard desktop and server malware.
We saw a hint of this in the “HackCensus” of 2012, where an unknown person temporarily took control of hundreds of thousands of insecure home routers to conduct mass portscanning. While the Carna botnet seems to have been short-lived, it’s only a matter of time before this large, installed base of ready-to-pwn devices gets marshaled into malicious computing again.
Tod Beardsley
Tod Beardsley is the Principle Security Research Manager at Rapid7. He has over 20 years of hands-on security knowledge and experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT ops and IT security positions in large footprint organizations such as 3Com, Dell and Westinghouse, as both an offensive and defensive practitioner. Today, Beardsley often speaks at security and developer conferences on open source security software development, managing the human “Layer 8” component of security and software, and reasonable vulnerability disclosure handling. He can be contacted via the many addresses listed at https://keybase.io/todb.

Is the Hortonworks IPO a referendum on open source?

This past Friday, Hortonworks made good on its announced intention to present an initial public offering to the market. The shares were initially priced at $16, opened with an initial bid of $24, and closed their first day of trading at $26.48. The shares were down to $24.97 as of Tuesday’s market close. We’ll see how the company does post-holidays.

In the run-up to the IPO, some criticism of it emerged, based (understandably) on the company’s startup status and current lack of profitability. Revenues may be substantial, but if costs exceed Hortonworks, you can’t blame people for being skeptical around its shares.

Suffice it to say, there are plenty of companies in the data sphere whose business model seems to be all about the exit. These companies are less built to be profitable than to be bought by profitable companies that don’t feel like building competing products themselves. That premise feels non-compliant with the laws of business gravity I learned over my own career, but it does at least follow a certain logic. And Hortonworks’ pre-profit IPO doesn’t seem any more deviant.

OSS + IPO = ?

The area where I do have questions revolves around Hortonworks’ operational model of bringing 100 percent open-source software to market and monetizing exclusively on training, services and support to its customers (including other vendors).

If we think about recent splashy data IPOs, we quickly arrive at those of Splunk and Tableau. Like Hortonworks, both companies are in the data and analytics space, and Hadoop is a very influential part of their businesses. Tableau is a profitable company whose prospects seem ever-expanding, and Splunk reached profitability several years ago. Both companies deal in commercial proprietary software as their business model (even if Splunk is involved in a number of open-source projects). This makes for a straightforward pitch with shareholders: We make software, we sell licenses for that software, and then we update it and add new products to the portfolio, for which we also sell licenses.

Sometimes the pitch is more nuanced. I remember when two other open source companies, Pentaho and Jaspersoft, first came on the scene. The model both companies adopted was to develop core software and make it available under open-source arrangements but also build and offer higher-end extras for more conventional licensing and sale.

Even with that hybrid approach, back then, in the largely Enterprise world of business intelligence, such a model seemed suspect. Eventually Pentaho and Jaspersoft made their way, though, and as incumbent vendors’ license pricing rose, the efficacy of the commercial open-source model seemed even more apparent. Regardless, Pentaho does not today particularly identify as an open-source company. Jaspersoft, meanwhile, has been acquired by the very commercial software-oriented Tibco.

Hadoop chutzpah

The bottom line of all this is that recent analytics IPOs have orbited around commercial software and even open-source analytics companies who have not gone public have become more commercial. So with those precedents in place, where does Hortonworks, a pre-profit startup dedicated to 100 percent open source, get its nerve? Before offering a hasty response to that question, consider some counterpoints.

To begin with, Hortonworks does make software and it does, even if indirectly, make money from that software. No, Hortonworks doesn’t sell licenses. Instead, it takes a leadership role in developing key components in Hadoop, including Hadoop 2.0’s YARN cluster management layer, the Tez framework that offers interactive services on top of it, and the Stinger initiative that has converted Hive from a SQL abstraction layer over MapReduce to one that utilizes the aforementioned Tez and YARN. And, lest you forget, Hortonworks is a spinoff of the team at Yahoo that drove Hadoop’s creation in the first place.

Elephants in a row

Since YARN and Hive ship with virtually all Hadoop distributions, and as support for Tez grows, Hortonworks’ position as “the” support organization around Apache Hadoop looks increasingly credible.

If Hortonworks made proprietary extensions to Hadoop, those components would not ship with competitors’ distributions. And if Hortonworks were less committed to open source, it might have less influence in seeing some of its projects (like Tez) on-boarded to the Apache Incubator and then reach Top Level Project status. Suddenly, Hortonworks’ open-source strategy seems less naive and less altruistic — in fact, it may be pretty darn shrewd.

Hadoop is becoming a universal data layer, increasingly embedded in other software. Open source may not be the fastest road to monetizing software, but it is a super highway for establishing standards that gain rapid industry-wide support. And since Hortonworks wants to be, quite literally, the standard bearer, its 100 percent open-source mantra actually makes a lot of sense.

Let the market decide

That doesn’t mean it will work. There’s an increasingly pervasive attitude in the analyst community that the open-source model hasn’t been financially rewarding for most companies that have bet on it. Red Hat is offered as the exception, though that offer is usually followed with disparaging remarks uttered under the critics’ breath.

But Hortonworks is bullish on Hadoop, on open source, and on the business model of supporting the big data technology that it helped build and helped establish as an industry standard. Perhaps ticker symbol HDP will serve as a tracking stock for that go to market approach.

With $10M, HashiCorp launches its first commercial product

Building applications in today’s world involves a lot of work assembling, managing and monitoring all of those various components that need to come together across myriad environments. To help with this chore, HashiCorp is rolling out an application development hub called Atlas, its first commercial product based on its various open-source technology. The startup is also announcing a $10 million series A funding round from Mayfield Fund, GGV Capital and True Ventures (see disclosure).

HashiCorp’s biggest claim to fame is its open-source Vagrant tool that helps developers quickly spin up virtual environments so they can build and test their software projects before they see the light of day.

Over time, the startup developed other open-source tech to help coders with all aspects of the software-development process; from Serf, which handles cluster management and makes sure those developer environments don’t fail, to Consul, which helps users discover and configure all the services running in their coupled-together applications.

Atlas diagram

Atlas diagram

With Atlas, the startup is bundling up all of its open-source software into one package and throwing in a dashboard that will supposedly let coders see how their application is performing in both public and private clouds or hybrid environments.

The Atlas software-as-a-service is now available in beta and will be available to the public in the first quarter of 2015; the company will explain pricing by then and will unveil an on-premise version.

Diagram provided by HashiCorp

Disclosure: HashiCorp is backed by True Ventures, a venture capital firm that is an investor in the parent company of Gigaom.

CIOs ill equipped to manage the growing security threats

Security, or Information Security (InfoSec) as the more formal term, is going through a period of massive change. In recent months, the public has become keenly aware of the risks from Information Security. Public security issues at Target, UPS, Apple’s iCloud, Home Depot and the government’s Healthcare.gov website moved the security awareness front and center for the general public. When considering the reach of these companies, statistically speaking, it is highly probable that one or more of these issues has affected most in the US.

Public awareness

At a recent conference of CIOs, Chief Information Security Officers (CISO), CEOs and security experts discussed the challenges all companies face. One expert noted that security is a balance between privacy and security. While that may be true, risk also must be considered along with cost. One could argue that ethics may or may not play a role in the decision too. While somewhat unrelated, it does bring to mind the case study of the Ford Pinto. The decisions made can impact a great number of people.

Security’s big data problem

Today’s security problem has evolved from the days of firewalls and virus protection. Today’s security problem is far more complex and involves people, mobile devices, unsecure networks, complex applications and subtle footprints. These subtle footprints, while independently insignificant, point to a larger issue when considered with other data points.

Collaboration, whether within a company or across companies is key. Competitors within a single industry are even starting to collaborate on security issues. In addition, the volume of data being analyzed is really a big data problem. No longer are the days where just looking for a certain ‘signature’ will suffice. Threats are far more sophisticated, clever and adaptable.

Reducing the risk footprint

One way to break down the problem is to look across the enterprise and break down the risk footprint. The risk footprint is the area that is most sensitive to the enterprise. It may refer to systems, applications or data. Simply treating all systems, networks, applications and data equal, creates a fairly daunting problem. In addition, the problem is only getting more complex, not simpler. Reducing the footprint allows the organization to understand the varying degrees of risk and bring attention to those areas that need it. In many ways, it provides clarity for the organization to focus on the crown jewels.

Defining the crown jewels

As with any assessment, understanding what is critical is key. According to Alex Stamos, Yahoo’s CISO, “Nobody but Microsoft is qualified to run Exchange today.” One could argue with that statement in the past. Today, one would be hard-pressed to argue, as Exchange gets increasingly more complex and becomes more of a utility to companies rather than a strategic differentiator. It is those more sensitive areas that one needs to focus on.

New threat vectors

In addition to commercial applications like Exchange, the IT organization needs to consider (relatively) new potential threat vectors from open source software and Internet of Things (IoT). Open source software is not new. However, it is gaining wider appeal in the enterprise IT organization. According to Tom Reilly, CEO of Cloudera, “400 people look at commercial software versus open source where 4 million people look at it.” Even major companies such as Salesforce take an ‘open source first’ approach with software.

Open source is not the only new tool in the shed getting the InfoSec attention. IoT is both exciting and scary at the same time. Unlike traditional IT systems, networks and applications, IoT presents an exponentially complex problem for security. Concerns circle around IoT being built on a broken foundation that was not built for IoT. PG&E, the main power and gas utility in the San Francisco Bay Area is concerned about security and IoT with their smart meters. PG&E uses IoT to evaluate the validation of devices and data coming in to avoid fake power outages. Without validation, the ramifications could be huge. And that is just the start. What happens when IoT devices such as wearables become more commonplace, but not updated. Each of those could present a growing threat.

The sky is not falling

According to Yahoo’s Stamos, “There is nothing that Yahoo can buy today to solve the problems.” The panel of security experts mentioned that when considering threats from nation states, there are only 30-40 Fortune 500 companies that are keeping up.

With all of the concerns, one could easily become paranoid. It is good to keep a healthy degree of concern around security, but support innovation and new paradigms. Cyber security is not going away, it is just going to evolve. Today’s CIO and IT organization needs to understand, stay on top of and adapt accordingly.