By Anna Hermansen, Ecosystem Manager at Linux Foundation Research
Open Source Software (OSS) has become a cornerstone of modern software development, powering countless projects and platforms. As the reliance on OSS continues to grow, ensuring the security of these projects is of paramount importance. The Linux Foundation’s recent research report, titled Maintainer Perspectives on Open Source Software Security, provides valuable insights into the views and practices of OSS maintainers and core contributors. Insights were derived from survey data, and the report features a foreword from Cisco’s Stephen Augustus, a maintainer, contributor, and one of open source’s most active participants.
Why does this report matter?
Maintainers are the engine of open source, and have a unique perspective on security. So which security practices do they espouse, and what ideas do they have to encourage their adoption? If we don’t understand where maintainers are coming from, we have fewer opportunities to provide them with the necessary tools and resources that they very much need.
Here are the report’s key findings:
- Maintainers are (generally) optimistic about security. By the end of 2023, 72% of maintainers and core contributors express confidence that OSS will be secure. This positive sentiment reflects a collective belief in the ongoing efforts to bolster security measures within the OSS community.
- Tooling is key to approach security. The report highlights that the top approach for evaluating the security of OSS packages is the use of Software Composition Analysis (SCA) and Static Application Security Testing (SAST) tools. These tools play a crucial role in identifying vulnerabilities and ensuring the integrity of the software supply chain.
- Manual code review is still a pervasive practice. Despite advanced automated tools, 39% of maintainers and core contributors still engage in manual code review.
- Basic documentation is lacking. While project documentation is prevalent, it is not universal. The report notes that 87% of projects provide basic documentation. This emphasizes the need for comprehensive and standardized documentation to enhance accessibility and understanding.
- More than half of projects support reproducible builds. Ensuring that builds are reproducible aids in verifying the integrity of the source code and is a critical aspect of maintaining a secure software development process.
- Making security tools more intelligent emerges as the primary approach to improving security across the OSS supply chain. This includes leveraging advanced technologies like machine learning to enhance threat detection and response mechanisms.
- Automation can reduce developer fatigue. The second most favored approach to improving security is reducing developer fatigue through automation. Automation not only increases efficiency but also minimizes the likelihood of human error, contributing to a more robust security posture.
- There is a demand for best practices. A significant 69% of OSS contributors express the need for defined best practices in secure software development. Establishing standardized guidelines can serve as a foundation for maintaining a consistently high level of security across diverse projects.
- The report uncovers that the primary reason for maintaining OSS projects is the enjoyment of learning. This intrinsic motivation underscores the passion and commitment of maintainers to contribute to the open-source community.
- Employer incentives are key. Nearly half (49%) of OSS contributors express a desire for employer incentives for their contributions. Recognizing and rewarding the efforts of OSS contributors can further encourage collaboration and innovation.
- Who is responsible for security policy? The report reveals that 27% of maintainers are responsible for defining OSS security policy, while 30% are tasked with implementing these policies. This distribution of responsibilities emphasizes the need for clear and effective security governance within OSS projects.
Maintainer Perspectives on Open Source Software Security offers a comprehensive view of the current state of OSS security development. From optimistic outlooks to the adoption of advanced security tools and the desire for standardized best practices, the findings highlight the dedication of maintainers and contributors to fortifying the security of open source projects. As the OSS ecosystem continues to evolve, these insights will undoubtedly contribute to the ongoing efforts to create a more secure and resilient software landscape.
Who should read this report?
For maintainers and contributors, this report offers practical approaches, such as the use of advanced tools and the importance of manual code review. It empowers maintainers and contributors to stay abreast of industry trends and best practices, ensuring the continued robustness of their projects.
For business executives overseeing software development teams, they will gain a strategic understanding of OSS security challenges and solutions. This knowledge is crucial for making informed decisions around resourcing, strategy, and technological implementations that align with organizational goals, enhance security postures, and foster innovation.
Whether you’re an academic researcher, policymaker, or technology enthusiast, this report unveils the inner workings of OSS development, from a security perspective. It provides a nuanced view into practices, motivations, and challenges that can inform diverse stakeholders about the critical role of OSS maintainers in the software ecosystem. Download the report today!