Open Source Software: Helping Information Sharing? - @ Coalition Information Sharing Conference: Building Capabilities for Multi-national ...

Open Source Software:
Helping Information Sharing?
@ Coalition Information Sharing Conference:
Building Capabilities for Multi-national
Interoperability in an Era of Austerity

                                             March 2014
                John Scott, john@airgap.io, 240.401.6574

BLUF
Open Source Software widely in use
• Now what?
• Good at using open source software, not at
  developing, releasing and interacting with
  communities

Must figure out how to adapt, morph, evolve
technical and organizational bureaucracy to take
advantage of OSS development model

Open Source Software
                                                        =
  "software for which the human-
readable source code is available
      for use, study, re-use,
modification, enhancement, and re-
distribution by the users of that
             software"*

 *Reference: 16 October 2009 memorandum from the DoD CIO, "Clarifying Guidance Regarding Open Source Software (OSS)"

What
Free/Libre and Open Source Software (FLOSS or
OSS) is software where:
• Code is distributed under a copyright license
  w/ certain terms & conditions
• Key: must share downstream changes
• OSS had many affordances: can be less costly,
  less lock-in, able to learn
• OSS engenders a vibrant learning environment
  and community

OSS Myths
Must share code changes with everyone!
• False: only downstream (although easier to push
  upstream to central repo)
Only folks in basement do OSS!
• False: Governments & enterprise using and
  contributing to OSS
  – Germany, UK, Denmark, Brazil, Canada, Korea, Japan,
    USA ++ many others have set national policies around
    the use (and preference) of OSS
OSS Not secure! No code should ever be considered
secure, bug free, etc. BUT at least with OSS you
have the opportunity to fund examination & fixes

Why Use OSS + Model
Problem                                    Opportunity
• ‘hostage’ to legacy, proprietary         • Agility
  components                                  Faster development
   Time is a significant driver –            Faster deployment: need to have impact
   sometimes forced to ‘re-engineer’ the       during fight
   solution created decades ago               Better transition
• Interoperability issues: Services,       • Decrease likelihood for vendor lock-in
 commands and systems                      • Potentially lower costs
• Increasing complexity of code            • Greater interoperability
• We develop code that isn’t readily       • Knowledge capture
 accessible or reusable                    • Communities around capabilities
• Development/maintenance costs
 outweigh COTS costs
• Timely delivery of new solutions
• Keeping up with innovation/change
                                                                                      6

Software Maintenance Strategies

                                  7

Future Warfighting Context
• Current High IT Technical Debt
• Restricted funding
• More smart InfoTech people outside the
  military industry than inside it
• .mil not driving the train for technologies
• Optimization of IT coming (cloud, DevOps, etc.)

What is Special becomes
Commodity

        Business
        & Private
        Industry    C4
        Software    Software                 ISR
                               Software/Hardware

Less Special

Why OSS?
• Commercial best practice
  – Closed source companies use OSS as a way to shift
    costs, stay current and focus on value
  – SaaS, Iaas, PaaS: fixed price service based models
    becoming prevalent (all use OSS)
• More smart people outside than inside
• Can see and examine source code
• Current tech communications and coordination's
  cost slow everything down
• Generational

Collaborate on Source Code?
• We share data, why not source code?
  – Further, why not collaborate on source code?
• Utilizing OSS model is a great way to increase
  local capacity and support base
  – Increase supply base
  – Lower costs since source code accessible
     • Also gives you options with suppliers
  – Leads to more Competition

Also: Just-in-time Coding: DevOps
• Continuous
  Delivery
  – Test-enabled QA
    automation
  – Incremental to
    aggregate flow of
    soft components
  – If tests pass,        Cloud services are prime
    feature/fix goes to   opportunities for continuous
    production            delivery of capabilities.

Software can be a Renewable
MILITARY Resource
• Software has become central to how
  governments, corporations and enterprises
  conduct their business & mission
• For reliance on software to be a strength,
  must pursue an active strategy to manage the
  software portfolio & foster an internal culture
  of open interfaces, modularity and reuse

OSS Code Flow
                                          Classified / Closed
                  .mil/.ic

         Inside
        (US Gov                            ITAR
          only)
                      Outside
                    (Industry +
                                             Open Source
                     Coalition)               Software

Commoditize and open core infrastructure to:
• increase capability
• increase speed of development / deployment
• lower costs, barrier to entry and vendor lock-in

How
Strategy
• Always on technical development options
• Fight Joint, Develop Joint?
• Commit to open source development model
  with International Partners
• Recognize: software is malleable, never done
• Set Intellectual Property Strategy
• Come to terms with ITAR

Gov/Military IP Knot
Strategic Intellectual
Property:
Bad, no strategic policy on how
the software ecosystem should
function for military: i.e., how
the military enterprise might
exercise software IP

 We don’t manage
   taxpayer IP

Review: ITAR and OSS
• Use of: Software with an open source license is COTS
   1.   DOD-CIO Memo 2009 on OSS: In almost all cases, OSS meets the definition of
        “commercial computer software” and shall be given appropriate statutory
        preference in accordance with 10 USC 2377 (reference (b)) (see also FAR
        2.101(b), 12.000, 12.101 (reference (c)); and DFARS 212.212, and 252.227-
        7014(a)(1) (reference (d)))
   2.   Existing COTS OSS is already in the public domain with or without Gov approval

• Release fixes: How-to Put software back into public
   1.   Need to go thru public release for confirmation

• Create new: How-to release Software to become OSS
   1.   Need to go thru public release for confirmation
   2.   Once released its public

Ref: http://www.dwheeler.com/essays/dod-oss-qa.html#itar

ITAR
• Use of OSS can simplify technology sharing with defense
  partners
• Configurations of systems should be controlled
• Key Points:
   – How to interact with outside communities
   – Need to push bugs fixes outside
   – MUST build modular systems
Great Ref: “Publicly Releasing Open Source Software Developed
  for the U.S. Government” David Wheeler
   – http://journal.thedacs.com/issue/56/180

Its being done
NSA
• Accumulo
• RedHawk
• Ozone (although it took an act of Congress)
Army
• 2525 Renderer
Many, many more….

Distributed Data Framework
• Standalone DDF instances interoperating w/DIBs
  – OpenDX includes DDF federating with the DIB
 DDF               Federate
                                   DIB 4+        Federate
                                                               DIB 1.3 – 4+
• DDF federates with DIB 4+
• DIB 4+ federates with legacy DIBs (Requires
  configuration, network access, coordination)
 • DDF Platform/ESB                         • DDF Applications
     –   PL/3 Web Service Security             – Metadata Catalog
     –   Cloud Scalability                            • Federated Search Aggregator
                                                      • REST & OpenSearch Interfaces
 • Key Features
                                                      • Solr Open Source Database
     •   Unzip and Run
     •   Extensible capabilities               – Content Framework: Ingest common file
     •   Minimal footprint                         formats (eg, MS Office, JPEG, PDF, etc)
     •   Cross-platform                        – Metrics: Performance and availability

                                                                                             20

http://codice.github.io/ddf/

DDF Config Mgmt
 External FOSS Sites      MaceFusion.com            .mil

LMCO
Manage
                        DIB
Configuration                       LMCO
                       Apps
                              +     Control

                                     CM
                                  Software
                                    Build
                                              DIB   DIB

How
Tactics
• Where is the source code?
• Standards must be publically available
• Must simplify development, too much
  bureaucracy
• Must encourage developers to talk with each
  other
• Speed: processes must be continuous
• Commoditization

Intentionally Commoditize Tech

Crazy idea

             NATO … 5-eyes …
Military Software Open Code Consortium

New OSS Challenges
• Speed and how to keep up with change
• Security for Software
• Software supply chain

Software Supply Chain
• Utilizing OSS means you are on the
  development cycle of that community
• Software Supply Chain
  – What/Where is your software?
  – What are you dependencies?
  – How fast can your enterprise:
     • Update or
     • deploy new software, patches or
     • react to vulnerabilities?

Expose & Manage the Software
              Supply Chain
Source Code &
Artifact                                                          Enterprise Needs
releases + updates              AirGap Engine
Releases                      Scanning/Vetting                              Costs?
                                                                          Office
     COTS
Patches                        Test
                              Rollback        Repos
                                                                          Software
                                               Snapshots
      SaaS
Upgrades                      Updated/Patched                           Managed?
                                                   I/A'd
                             I/A
New Features                  Version Management  C&A'd
                                                                       Vulnerable?
    OSS
Vulnerabilities               Provenance                                 Affect on
                             C/A                   Other
                                                                        Comp.
Dependencies                  Audit Trail                              operations?
                             Events     Logs     Issues
     GOTS
Libraries                     Vulnerabilities                         Support Tail?
                                Supply Chain Vetting                         Field
SDKs                          Modernization

                                                           Other n-tiered Networks

   Enable client to expose, automate, and sustain the Software Supply Chain
      for speed of delivery from raw “material” to enterprise operations
         - Software Logistics is key for Tech Transition and Sustainment

Unclassified

‘Everything becomes Legacy’

                                             29

Groups

         www.mil-oss.org
         www.opensourceforAmerica.org
         www.opensource.com