Victor Barajas

The Impacts of Open Source Software in Hospitality and Gaming

The recent acquisition of GitHub by Microsoft has changed the landscape for software developers. If you are not familiar with GitHub, it is a very popular software development tool that can help manage version control and source code management functions. What is interesting about this acquisition for Microsoft is that GitHub has been a steadfast tool for Open Source Software (OSS). Microsoft has historically been a Closed Source Software (CSS), or better known as a developer of proprietary software where no outside developer would be allowed to see the internal workings of their code. OSS is code that is developed and reviewed by anyone in the open community. What is also interesting is that this software is free for anyone to download and use. This article will look into how OSS has and will impact the Hospitality and Gaming industry from a security and industry perspective.

In the world of IT, software is becoming increasingly pivotal when it comes to strategy. In the past 20 years, the Hospitality and Gaming industry has heavily relied on products and solutions from manufacturers such as Microsoft, Oracle, Cisco and many others. This essentially means that as a manufacturer develops a solution or capability, we are then limited by that solution’s capabilities. We have relied upon them for innovation and overall reliability of their products, and in many cases, have been hampered by this model. Product development cycles for many manufacturers can be anywhere from six months to several years depending on the impact of the feature request from the customer. This has changed how some organizations approach solutions development. Many have decided to bring some software solutions development in-house to accelerate innovations and create a competitive advantage. This can be a costly and complicated approach, but if done well, can build an innovation engine that can help IT departments make a direct impact on business goals and initiatives. The problem with in-house development is that software code is now a company asset, and as such, requires vigilance and discipline in maintaining, protecting and securing it. That was one of the goals of GitHub – to provide a solution that could help organizations develop better software development processes. A significant issue for in-house software development teams is the overall security impact of custom solutions. Not only do organizations have to worry about protecting the assets from theft, they now also have to be concerned about the integrity of the software to ensure that software exploits don’t expose sensitive information to hackers. This can be a massive effort for chief information security officers and development managers.

Courtesy of iStock

An interesting case study comes directly from Microsoft. In the days of Windows 95 and Windows XP operating systems, we saw that these operating systems were not developed with security as a core element of the development process. As a consumer and business user of these operating systems, it seemed that a constant stream of viruses and exploits occurred often and frequently. As the discovery of how these viruses, worms and exploits became identified, it was clear that the vulnerability was at the operating system level. As fast as Microsoft fixed a vulnerability, another was discovered the next week. These constant security breaches created chaos for IT departments because the net impact of these vulnerabilities caused outages, data leaks, and in many cases, lost productivity for the user community. The IT department was left to close these vulnerabilities, and it required a significant amount of labor and time to remediate these issues. As more negative press emerged about Microsoft’s liability in these exploits, a massive overhaul was required in how Microsoft approached security in developing their software and started a new security training program that every single developer was mandated to go through. They also implemented new software security tools to check for known vulnerability checks within the source code itself.

In many cases, Microsoft had the task of cleaning up major issues with how their products were architected and designed. This leads us back to OSS and how security is approached. As I mentioned previously in this article, OSS is open for all to review the actual source code for operating systems, database systems, middleware and applications. The thinking is that because the source code is exposed to everyone that it has many more reviewers than CSS, and vulnerabilities are revealed much more quickly and updated more often. A great example of how this has been successful is in the Linux operating system. It was initially developed in 1991 by Linus Torvalds and is a family of free and OSS operating systems built around the Linux kernel. A kernel is a program that manages the input/output requests from software applications and handles access to CPU and memory resources on the computer. It is the code that is the core of the computer or server and is the most critical component for stability and security. Since Linux has been published for so long, there have been many revisions and distributions that have made it extraordinarily secure and flexible. The Android OS is an example of the Linux kernel’s flexibility and has made Linux the largest installed base of all general-purpose operating systems. Linux is also used on servers and mainframes and provides an excellent general-purpose platform for many workloads. In the Hospitality and Gaming industry, we see Linux and other OSS in point-of-sale (POS) terminals, slot machines, network equipment and Internet of Things (IoT) devices such as cameras and voice-control devices like Amazon Alexa. It is very predominant in the industry; you just have to recognize it in your solutions.

Figure 1- Security/Everything as Code

So, what is the security exposure of OSS, and what should I be aware of? One of the most significant OSS breaches was the Equifax breach in 2017. In this case, it was preventable because a patch to the Apache Struts web-application system was available to close the vulnerability, but IT administrators at Equifax failed to maintain patch levels. This has caused a significant amount of issues for Equifax, and the fact that an OSS solution was involved didn’t help the case for the use of OSS. However, as we see the continuous widespread adoption of open source projects and the use of agile development methodologies, organizations must learn to mature faster with open source and begin implementing open source best practices more quickly.

That leads me to the topic of what is known as “DevSecOps.” The purpose and intent of DevSecOps is to instill a mindset that everyone is responsible for security and seeks to achieve greater efficiency and productivity through team collaboration and the adoption of security principles. The idea is that DevSecOps practitioners work alongside developers at every stage of the development process. This ensures that security is a priority and not a process that happens at the end of a development cycle, which can be slow and come too late in the process. Some of the principles of DevSecOps are to build a platform of least-privilege access, collaboration, team testing, continuous security monitoring and “security as code.” Security as code reflects a philosophy that paper-resident policies don’t always translate to constant evolution and lessons learned, and that everything should be represented as software. In Figure 1- Security/Everything as Code, this is explained by looking at policies and procedures and how they are portrayed as code shared between a cloud solution and an on-premise solution.

Implementing DevSecOps requires a shift in culture and thinking in both your developers and operations team members, just as a DevOps approach is to the very same team members with the addition of security practitioners. This is not typically done overnight quickly, but rather a gradual change in which you replace existing frameworks and processes with new lessons and approaches. Some will work and some won’t, but change will require time and is a constant among successful organizations. This also includes vendors who adopt open source as the basis of their solutions. You should be able to have open and detailed conversations about their development practices and how security is implemented in their development teams.

One issue that can be a constant risk is the use of Open Source code libraries. In many cases, it can be difficult to recognize vulnerabilities in OSS code libraries especially if they are not used very often or they just don’t have the community following like other larger and more predominantly used libraries. Dependencies in OSS project may contain third libraries that may hide vulnerabilities and that are hard to initially recognize and difficult to track. In some cases, a dependency can be several projects removed, be more difficult to recognize and be an attack vector that can be exploited.

To better safeguard against these potential issues, developers and security practitioners will need to embrace some key practices to better identify hidden security flaws. First, embrace automation. Many organizations manage security in a manual way, which is time consuming and costly. By using frontline tools, such as a Dynamic Application Security Testing (DAST) tool, there are many solutions to choose from, and they have capabilities to help incorporate monitoring and can even be an effective Security Information and Event Management (SIEM) tool.

Second, bring your developers and security personnel together to instill a culture of security in all processes and strategy. This is really focused on the DevSecOps approach discussed earlier.

OSS has many advantages for enterprise customers and is prevalent enough that you can put the most critical data on these systems. However, this is still software and requires discipline and process to continuously verify and validate that your code is secure in operation. Many large-scale vendors have shifted from closed software platforms like Microsoft.Net to Linux OSS because of cost and tool availability. Also, most new developers are learning OSS systems already, and the fact that even Microsoft has invested in open source solutions like GitHub validates that the future will have more reliance on OSS. Security is going to be an essential element in any platform, open or closed, and it’s not just the CISO’s responsibility to raise awareness about security. In the case of OSS, it’s everyone’s responsibility.

Victor Barajas serves as the Account Executive for Hospitality and Gaming customers at Technologent in Las Vegas, NV. Mr. Barajas is responsible for establishing the strategic development of enterprise customer solutions utilizing hardware, network infrastructure, and security systems. Mr. Barajas has over 17 years in the Hospitality and Gaming industry and he has been involved in more than 6 casino hotel and casino openings and system conversions. Prior to joining the Technologent, he served as part of the Hospitality and Gaming vertical team for both Microsoft and HPE and served as a Technology Strategist for Las Vegas for 7 years. Contact Victor.