As we step into the year 2024, the OpenSSF envisions a year marked by transformative growth, heightened resilience, and new opportunities for individuals and organizations contributing to the flourishing ecosystem of open source software. While our recently released 2023 OpenSSF Annual Report highlighted some accomplishments of the OpenSSF, for a touch of fun, we also asked OpenSSF leadership to share some of their insights into the ever-evolving landscape of open source security. Let’s explore what our experts have to say about the future of open source security in 2024 and the exciting possibilities that lie ahead.
Omkhar Arasaratnam, General Manager of the OpenSSF, holds a prominent voice in the cybersecurity and open source community and he foresees a challenging yet transformative year in OSS security.
The next Log4j is coming soon. Anticipating the imminent arrival of the next Log4j-level vulnerability, we are overdue for the next Log4j, and there’s a high probability of another major attack in the coming year. Look no further than this winter season when bad actors will step up attacks to take advantage of thin cybersecurity teams, already stressed by the holidays.
Security becomes even more of a team effort. Emphasizing the collaborative nature of security, Omkhar predicts a shift towards a team-oriented approach. Software supply chain security impacts all pieces of our economy, so it will gain ground as a top priority with increased security controls in software repositories, more education of software developers around security, and increased understanding of the value of SBOMs, which list software components so everyone knows what’s inside and whether it is secure.
SBOMs win the popular vote. Companies will start to shift their view of SBOMs from a check-the-box mandate to something desirable, like airbags in a car, and something consumers want. While tech powerhouses have SBOMs in place, the rest of the Fortune 500 and others should start to catch up next year. SBOMs list software components so everyone who uses that software knows what’s in it, like a nutrition label on the back of a cereal box.
Companies get creative on filing open cybersec recs. As everyone from casinos to shipping ports increase their focus on cybersecurity, companies will begin to drop traditional requirements (like a bachelor’s degree) for cybersecurity jobs and take more of a skills-based approach. Cybersecurity could even be one of the first areas of tech to overcome long-standing diversity issues – and more diverse teams will see greater success in shoring up defenses. Those interested can check out our jobs board here.
Memory safety becomes more surgical. We are going to get a lot more mature and nuanced about what we mean when we advocate for memory safe programming languages. For example, with C++ it’s pretty easy to stick your hand in the buzzsaw when it comes to allocating or deallocating memory, and that has been something that has plagued the industry for a while. Like all pendulums, this swung the other way and suddenly the answer to fixing all of this is to rewrite everything to a memory safe language like Rust, but Rust isn’t perfect either. As a software engineer, every time you rewrite code, you risk introducing a bug. I think the right approach is more nuanced. We must be risk-based when it comes to memory safety, meaning we won’t rewrite all your core banking code or all of the software that powers your powerplant. It’s going to be much more surgical – where there’s a relevant security issue that needs to be addressed or as new code is developed. This will create a bit of homeostasis, with a better balance in the choices we make in terms of rewriting code v. providing different protections around legacy code.
LLMs take on their first tasks in cybersecurity. LLMs will start being used to address security problems in bulk, including to pick up on typical coding errors and rectify them eliminating entire classes of security issues. LLMs could also be helpful in converting legacy code into memory safe code at scale. Humans are not the best at large scale migrations of code bases from one language to another, often accidentally introducing bugs. LLMs can provide a huge benefit here. We hope to see new AI approaches to open source software security and tools to combat cyber threats take shape in the AI Cyber Challenge that DARPA is hosting in collaboration with OpenSSF and others.
Dr. David A. Wheeler is Director of Open Source Supply Chain Security at the Linux Foundation. He is an expert on open source software (OSS) and on developing secure software, having authored the Developing Secure Software course. He offers predictions that shed light on the evolving dynamics expected in 2024.
Rising awareness of OSS dependencies. Some organizations are aware that they depend on open source software (OSS) and are already participating in the development of the OSS that matters most to them. As governments increasingly mandate software bills of material (SBOMs), many organizations will become newly aware of their OSS dependencies. Some will fail to act. A few organizations will act on this new-to-them information, and become newly-active participants in the OSS they most depend on. This will produce improved functionality and security for that OSS and those organizations’ products and services. Expect to see press releases from some organizations announcing their new activities and successes.
A shift towards stronger authentication measures. Software forges (e.g., GitHub and GitLab) and package repositories/registries (e.g., npm registry and PyPI) will continue transitioning to require the use of stronger authentication mechanisms (two-factor authentication (2FA)/multi-factor authentication (MFA)). GitHub is requiring 2FA for all contributors by the end of 2023. A vocal minority will complain. You’ll also see a dramatic decrease, by orders of magnitude, of cases where an attacker inserts malicious code into OSS by taking over an OSS maintainer or contributor account. It’ll improve the lives of everyone except the attackers’.
Code creation using AI/ML will continue to accelerate, including for OSS. This will further accelerate growth in OSS. Some of these code-generation services will try to reduce the vulnerabilities in generated code, but it’s hard to do in general, so they’ll only be partly successful. Some developers will become aware that AI/ML generated code often includes vulnerabilities, and will take proactive steps to counter vulnerabilities such as careful review and checking the code with tools. Others won’t take such steps, with predictable results.
Dynamic Year Ahead
As we navigate the complexities of OSS security in 2024, the insights from both Omkhar and David paint a comprehensive picture of the challenges and opportunities that lie ahead. The collaborative and nuanced approaches proposed by Omkhar, coupled with the organizational shifts and advancements in authentication mechanisms highlighted by David, signal a dynamic year for the open source security community. The integration of LLMs and the continued growth of AI/ML in code creation add further layers to the evolving landscape of OSS security, shaping a future where proactive measures and collaborative efforts will be paramount in fortifying the digital ecosystem.