By Rebecca Rumbul, Executive Director & CEO of the Rust Foundation
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ‘bolt-on’. That has rapidly changed over the last two years. Now, the world has finally realised that security needs to be ‘baked-in’, not ‘bolted-on’.
The momentum for a systemic overhaul of cybersecurity is growing, and this in turn demands a considered and sustainable approach to achieving common security goals that appropriately allocates obligations, responsibilities and accountability. This means identifying what work is being done, by whom, and pinpointing how that work is directed and remunerated. It also means investing in changing that process.
But to develop this plan for achieving common security goals, we must also invest in changing that process. Anyone even tangentially associated with OSS development knows that unpaid maintainers often bear the brunt of elite decision-making, which can result in disillusioned, overworked and under-compensated communities of developers that have neither the time nor the inclination to undertake the substantial work demanded of them.
Moves to regulate the security of the software supply chain are currently underway in the EU, UK and USA, and this is a positive driver for improvement. But how and who will decide and direct the necessary work? Regulators are not experts in Open Source development. Corporations could claim expertise, and can certainly afford to buy it in, but are not invested in the public good.
The actors that can implement meaningful beneficial impact are critical to consider in how a global approach to securing the digital world is built. Who can advocate for that common good? Who can identify the key issues and gaps? Who can mobilise to build solutions? And who can do this in a neutral and sustainable way that balances the needs of the myriad stakeholders in this space? OSS foundations, like the Rust Foundation, are the only actors that can take on this role. This is because these non-profit organisations are constituted to support the common good in OSS ecosystems. They are close to, and often run by maintainer communities, so they know exactly where the issues exist. They are supported by corporate bodies, so they understand too the needs of end users and product developers. They are ultimately neutral, not for profit, able to take a balanced approach that prioritises the wider benefit, and critically, they can do this work collaboratively in the open. Security work funded by stakeholders and managed by relevant foundations is the best option.
The specific areas of security work that are best directed at the Foundation level center around ‘baking-in’ good security hygiene and practice, benefitting all those using the language downstream. A well-resourced, trusted and responsive security team can address issues with agility and according to priorities for the wider good. Threat-modelling and auditing can identify key areas of risk and develop tooling and features to mitigate those risks. Other possibilities could include implementing SBOM processes and policies for trusted sign-offs for reviews and releases. The security requirements of the modern world necessitate investment in coordinated risk reduction – these extend far beyond simple source code and beyond the capacity of individuals or individual corporations to deliver alone.
Funding this activity sustainably will be one of the biggest challenges. For too long, too many organisations have taken advantage of free Open Source code without giving anything back. While a number of tech organisations are hugely supportive of OSS work, there are thousands more that are net beneficiaries. Until the work conducted by the OSS community is valued as a core public service, and funded as such, it cannot be expected to be responsible for propping up government systems or multinational technologies. The Alpha-Omega Project is a key model in developing this mechanism. As a beneficiary of funding from Alpha-Omega, the Rust Foundation is able to develop, implement and innovate in its approach – targeting security work in the Rust ecosystem where it is most effective for all that use it.
Well-resourced and trusted security facilities of the sort currently funded by the Alpha-Omega Project are also key to increasing business confidence in the security of OSS and in driving adoption in the long term. Rust is being promoted by governments and experts for its memory safety and performance features, but requires sustainable support to deliver on those promises. Corporate organisations reaping the benefits of these features should therefore consider funding the Rust Foundation’s security efforts to secure their own investments in using the language to build their product. This is a more strategic and sustainable approach for corporate partners than hiring in-house engineers, which is a higher cost but smaller outcome and a lower trust approach.
Meaningful and impactful improvements can be achieved in OSS security engineering and development across ecosystems if the work is directed by non-profit foundations and financially supported by a plurality of public and private bodies on an ongoing basis. In this way, all stakeholders can be engaged without holding a monopoly, maintainers can be fairly compensated, and the benefit will be felt by all.
Is your organisation using Rust? Become a Member of the Rust Foundation to support our efforts to secure and maintain the Rust ecosystem.