Open source is one of the greatest strengths of the software industry. It’s the vast ocean of code, features, applications and operating systems that allows the smallest startups to compete with the mightiest tech giants.
Open source code – most often written by small groups of enthusiasts– can be used freely by anyone. It’s the secret ingredient in most software projects, which means developers don’t have to start from scratch every time.
Each of these individual open source projects might be small, but together they make up the vast majority of the software we use.
It embodies a couple of pretty noble concepts: that we gain more by sharing knowledge than by hoarding it, and that even the smallest contribution to the sum of knowledge can make a difference.
The trouble is, a lot of people in the software industry don't see it that way.
They just see open source as a really handy source of free software that they can use as they like. Increasingly that’s an attitude that is causing problems for all of us.
Open source isn’t always perfect. Some developers are building projects that they think are fun or cool, without too much interest or experience in making sure the project is also super-secure. Projects may also stop getting updates or simply be abandoned because the maintainers lose interest or just run out of steam.
More than a passtime
These things might not seem like much of a big deal. Who cares if a little hobby project gets abandoned?
Well, it becomes a problem if one of those open source projects has been used to build another piece of software that is used by a lot of people, or which props up a piece of critical national infrastructure.
This happens more than many people realize. According to research by Synopsys, 91% of codebases contained components that were 10 or more versions out-of-date, while 49% of codebases contained open source components that had no development activity within the past two years.
We’ve already seen examples of where the impact of flaws in open source can cause a crisis across the tech industry, with Log4j being perhaps the most high profile. The problem is magnified by mysterious bad actors who actively seek to add backdoors to open source for their own (almost certainly malicious) reasons, like in the case of the near miss with XZ Utils and others. It’s a very bad sign that attackers have identified open source components as a weak point in tech security – and it’s a development that makes it all the more urgent to fix the bigger problem.
All software is built on other software projects, but a lot of software companies are building profitable products by standing on the shoulders of exhausted volunteers or hobbyists who need more money and more help. At the moment, it’s the people who have helped the tech industry to ‘move fast and break things’ who are themselves being left bruised and broken.
As the OpenJS Foundation noted recently: “The pressure to sustain a stable and secure open source project creates pressure on maintainers. For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back.”
So what needs to change?
To my mind it’s hard to blame the individuals or teams who contribute their time and skills for free to build these projects. Certainly they need help, but the burden should not fall on them alone. Instead, the software industry needs to take more responsibility for the open source software it uses – and profits from.
Software companies have long been reluctant to provide a software bill of materials – a list of ingredients – for their products. That makes it hard to know what is really inside their products, making it harder to mitigate flaws. Being clearer about what is included in their products will help make the impact of open source clearer.
Software companies also need to do more to support the open source they build on by feeding back security improvements to make everyone safer.
A step in the right direction
There’s grounds for some limited optimism that that state of open source security might be about to improve. There are a number of initiatives underway that each aim to tackle the problem from different directions. Some big tech companies got engineers who work directly with widely used open source projects to improve security one fix at a time.
There are other broader efforts like the recently launched ‘Protobom’ – a project from the Open Source Security Foundation (OpenSSF), along with the US Cybersecurity and Infrastructure Security Agency (CISA). This is an open source software supply chain tool that allows developers to create a standard software bill of materials. There are also a number of other tools out there and in development.
These steps are positive but more would help; the tech industry can’t continue to consider open source projects indispensable, but treat their maintainers as irrelevant.
While tech executives can enjoy the benefits of open source without much of the responsibility for now, that may be about to change.
In the US top executives are now required to sign off on the safety of their software. That may focus their minds on exactly what is inside the products they are selling and, as a result, the responsibility for making sure software is secure may finally be shared in the way it always should have been.
