Companies need to incentivise maintainers to keep open source software secure.
Every enterprise today is using open source software (OSS) or software with open source components, with Facebook, Google and IBM just some of the household names relying on and contributing to open source.
The OSS movement has delivered some of the most important technologies, including operating systems, web browsers and databases, and is responsible for the breakneck speed of technology development over the last several decades. Not only that, a 2020 Red Hat report found that 95% of survey respondents (up from 89% the previous year) considered OSS to be strategically important to their organisation’s overall enterprise infrastructure software strategy.
OSS gives enterprises the agility to succeed
Historically, enterprises have built proprietary solutions to protect their intellectual property, but the accelerating speed of software development means trying to do everything on your own is an increasingly difficult and costly option. By the time many organisations are ready to launch a project, a rival has overtaken them.
In contrast, using OSS to leverage existing code means organisations can prioritise work on their IP and product-differentiating features — which means lower costs and a shorter time to market. Open source provides many of the building blocks needed for a new project, so it can be rolled out faster.
Once a proprietary project is deployed, the cost of maintaining the software can be significant. As time goes on, support costs for legacy software increase in line with a decline in the benefits gained from that support. However, by adopting OSS and sharing the cost of maintenance across multiple companies, organisations can target their investments more effectively and keep their focus on innovation.
The OSS movement provides maintenance support through a community of security researchers and maintainers who identify and fix bugs. With a broad community of developers maintaining the code, there are more opportunities to catch potential bugs before they become a problem.
Enterprises that take a proactive approach to open source and engage actively in it also get the opportunity to influence the future of the open source projects that power their infrastructure, as well as contribute tools that make software development better for all teams. This kind of influence helps to attract and retain top talent, as well as build an organisation’s reputation.
Companies that strive to establish themselves as good open source citizens, contributing to the good of the projects and the industry, are perceived as good companies. Click to tweet
Gaps in OSS security are becoming apparent
The wide adoption of OSS across all industries has subjected popular projects to the scrutiny of malicious actors that want to use them as an attack vector to gain access to companies and their data. Because the code is open source, attackers can study it and use its vulnerabilities to target the company and take data, launch ransomware and commit other cyber crimes.
In an ideal world, security researchers study vulnerabilities in OSS dependencies and notify maintainers who fix the vulnerabilities. Maintainer-led disclosures ensure that vulnerabilities are fixed and that a patched version of the library is deployed and published in the cloud. However, if the maintainer does not fix it, the security researcher reports a CVE (Common Vulnerabilities and Exposures), notifying everyone that the library is vulnerable and that there is no patch available for it.
Security vulnerabilities benefit cyberattackers, the vendors of security products and the security researchers who are sponsored or employed to find the bugs, but there is little incentive for maintainers to fix the vulnerabilities. They want their software to be used, but they don’t want the aggressive emails they often get when they don’t patch vulnerabilities quickly enough. This situation needs to change.
Don’t be the person who expects somebody else to do the work. If you use OSS, you should be prepared to help in maintaining it.
Everybody gains when everybody contributes
The more people involved in the open source community, the more secure the code becomes. With greater numbers of people watching security alerts and, more importantly, fixing the vulnerabilities that arise, enterprises can be confident that the software is protected.
Furthermore, organisations that engage actively with open source and support it in practical ways can influence the direction and outcomes of the open source projects that drive their infrastructure and contribute tools that enhance software development for everyone.
Companies need to step up
The open source community operates in a culture of collaboration, which can be alien to companies pursuing commercial goals. But if enterprises want to ensure the health and security of the open source they use in their overall infrastructure software strategy, they must be prepared to invest in it.
These companies have an interest in ensuring bugs are fixed and that projects evolve in the direction they want them to. They should contribute to open source projects because it is in their business interest to do so.
Large enterprises such as Intel, Yahoo and Snapchat all run bounty programmes to incentivise the identification of security vulnerabilities. In November 2019, the Github Security Lab launched a specialised bounty programme that incentivises eradicating security vulnerabilities at scale, rather than paying hunters to find them. It has since increased the bounty rewards for the High and Critical levels of its programmes. Hacker-powered security platform HackerOne has also joined forces with the Node.js foundation to create a bug bounty program to make Node.js third-party modules more secure.
The issue with most bounty programmes is that they reward those who find bugs — not those who fix them. The obligation falls to companies to invest resources in incentivising maintainers too, because they are the people who ensure the software companies and their customers rely upon is secure.
Contributing to the open source community in such a practical way is not just the right thing to do — it translates into more innovative, interoperable, scalable and secure solutions for everyone.