Copy
Now, eBPF looks to provide an entirely new model, besides syscalls, to program the kernelView in browser »
The New Stack Update

ISSUE 238: The Trojan Horse Inside Linux

Talk Talk Talk

“By replacing release nights with feature flags, you now have the freedom to release new code as quick and as often as you want.”

___
Talia Nassi, Split Software
Add It Up
Even When OSS Compliance Occurs, InfoSec Rarely Gets Automated Access to Data

Stop asking about how to integrate security into the development pipeline and start talking about how open source compliance is utilized by information security professionals.

Security professionals are dissatisfied with how legacy application security software has been utilized by developers. They think if their tools were easier to integrate and more accurate, then developers would be more likely to adopt them — according to WhiteSource Software’s recent survey, which compared answers from over 220 security professionals with those from over 280 software developers, architects and DevOps practitioners.

But ease of integration may not be holding developers back. While 48% of the security respondents thought the ease of integration is the most important feature for developers adopting a specific AppSec tool, only 22% of developers thought likewise. The discrepancy is because a lot of developers don’t think any additional feature would make them more likely to use a tool built for a security pro.

A different way of looking at things is from the developer, architect and DevOps point of view. These job roles often utilize software composition analysis software, which scans for both license compliance, dependencies, and vulnerabilities all at the same time.

In our recent “Open Source in the Enterprise,” almost 500 respondents’ organizations utilized an open source compliance tool or methodology, which indicates open source compliance has been accepted by the enterprise. But it still has a long way to go as only 29% of this group affirmatively agree that the Information Security function accesses data from the automated tools used for open source compliance. Another 37% answered “Don’t know,” indicating a dramatic lack of visibility between groups involved in the so-called DevSecOps ecosystem.

What's Happening

Software developers and engineers continue to write or run scripts to glue together components into workflows, even though it is a time-consuming task. However, adopting machine learning or other new technologies that could replace these tried-and-tested scripts can prove to be a challenge for many. In other words, it can be difficult to convince engineers to change how they work.

In this edition of The New Stack Makers podcast, Tiffany Jachja, evangelist for software delivery platform provider Harness, and Rajsi Rana, senior product manager, Oracle Cloud, discuss scripting and how machine learning, CI/CD and other processes can help guide a shift in engineering culture to make the most of time and resources. Alex Williams, founder and publisher of The New Stack, hosted this episode.

Supplanting Scripting with Engineering Management and Machine Learning

The Trojan Horse Inside Linux

In many ways, the extended Berkeley Packet Filter (eBPF) could be a Trojan Horse to the Linux kernel, suggested Daniel Borkmann, Linux kernel engineer for Cilium, in a technical session during the recent KubeCon + CloudNativeCon EU virtual conference. Initially, BPF was accepted into the Linux kernel as a simple tool for packet filtering. But now eBPF looks to provide an entirely new model, besides syscalls, to program the kernel.

When the upgrade was first offered up to the kernel keepers in 2013, it was rejected for being a big patch bomb, Borkmann recalled. Linus Torvalds himself said that he doesn’t mind “crazy” ideas as long as the contributor has a logical rationale for them. With this in mind, the eBPF designers stepped back and started incrementally, and significantly, upgrading the kernel’s existing BPF. They heavily extended the instruction set, swapped out the interpreter for a new one altogether, and added in a verifier to ensure the code is correct for the kernel. As a result, eBPF is now a full virtual machine within the kernel itself. 

The potential use cases are many. Netflix is using it to run secure programs in the kernel. Cilium itself uses eBPF to offer what it claims is a fast version of KubeProxy for Kubernetes. Borkmann speculates that one day the majority of the functionality that is now in the kernel will be offloaded to eBPF functions, leaving only a very small, fast microkernel.

If this radical shift does come to pass then it would be a very effective Trojan Horse indeed. For when Linux creator Linus Torvalds had first created Linux, his design was criticized by  Andrew S. Tanenbaum for its monolithic design. Torvalds had stuck by his decision. “I agree that microkernels are nicer,” he admitted, though for practical reasons — namely that the GNU kernel wasn’t ready — he created Linux as a monolith. “Linux wins heavily on points of being available now,” he wrote at the time.

So if eBPF is a Trojan Horse — it may well be a much-needed one. 

Brendan Burns: Everything You Need to Know About Confidential Computing and Containers

Confidential computing is an industry-changing technology that is a cornerstone for data security and privacy. Protecting and securing the data is especially important when the data or application leaves the organization, whether moving to the cloud or a partner location. In this contributed post, Kubernetes’ co-creator, and Microsoft corporate vice president of Azure Compute, explains what confidential computing brings to Kubernetes.

Back to the Future: Static Websites for High Performance

Static sites serve content without the need for a backend database layer. They consume very little computing resources, so they load quickly because there are no database queries, no templates to render and no client-server requests to process. This contributed post from Strapi’s Pierre Burgy explains why static web sites are not only a thing of the past, but of the future as well. 

Tutorial: Use Hugo to Generate a Static Website

With no database backend, plugins, or even PHP to go along with it, the open source Hugo uses templates to generate a full (albeit static) website. These pre-built pages are served up incredibly quickly. So when you need speed, Hugo could be what you’re looking for. 

On The Road
All Things Open // OCT. 19-20 // VIRTUAL

OCT. 19-20 // VIRTUAL

All Things Open

The leaders in open source have a few things in common, and these have led them to the top, but how solid is their footing? Alex Williams will present the latest results from The New Stack’s annual research project with The Linux Foundation’s TODO group, a network of leaders from companies with open source programs. VMware was also a sponsor of The New Stack’s research. Register now

The New Stack Makers podcast is available on:
SoundCloudFireside.fm — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Pre-register to get the new second edition of the Kubernetes ebook!

A lot has changed since we published the original Kubernetes Ecosystem ebook in 2017. Kubernetes has become the de facto standard platform for container orchestration and market adoption is strong. We now see Kubernetes as the operating system for the cloud — evolving into a universal control plane for compute, networking and storage that spans public, private and hybrid clouds. In this ebook you’ll learn:

  • Kubernetes architecture.
  • Options for running Kubernetes across a host of environments.
  • Key open source projects in the Kubernetes ecosystem.
  • Adoption patterns of cloud native infrastructure and tools.
Download Ebook
We are grateful for the support of our ebook sponsors:








 
Copyright © 2020 The New Stack, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp