How can incentivizing maintainers improve your open source software security?
In the wake of several recent high-profile security vulnerabilities impacting open source software, many organizations are actively seeking new strategies to demonstrate and ensure that the critical open source dependencies they depend on stay secure and healthy. Donald Fischer of Tidelift explains how enterprises can upgrade their open source software security.
While many of these efforts focus on reactive strategies like scanning the software for vulnerabilities, that approach has one critical shortcoming: it can only identify known issues. Organizations seeking to make sure their open source software supply chain is secure should also explore ways to proactively ensure security vulnerabilities don’t make their way into the open source projects they depend on in the first place.
Understanding how to proactively improve open source health and security begins with understanding open source maintainers—the people who create the software we depend on and keep it up to date. But many organizations know very little about the people behind these projects and what motivates them.
60% Of Maintainers Are Unpaid Hobbyists
A recent survey of open source maintainers by our organization, Tidelift, found that 60% of maintainers describe themselves as unpaid hobbyists while only 13% describe themselves as professional maintainers who earn most or all of their income from their open source work.
60% of maintainers describe themselves as unpaid hobbyists
Source: Tidelift
The high percentage of open source maintainers considering themselves unpaid hobbyists should be alarming for any organization that depends on their work to power enterprise applications.
After all, the expectations we can place on unpaid volunteers are very different from those placed on those who are paid for their work. Your organization would never consider asking for unpaid volunteers to be in charge of network security (“try to fit it in after soccer practice, Bob!”) or see who in the neighborhood raises their hand to inspect the structural engineering plans for your new office building. Yet expecting unpaid open source maintainers to ensure their projects meet your organization’s security standards has seemed somehow normal…until now.
Maintainers on the Brink
As more and more organizations become heavily reliant on open source to power their applications (according to GitHub, over 90% of companies are using open source), they are pushing for higher security standards that mimic what they expect from their own internally developed software.
Industry-driven initiatives like the OpenSSF Scorecards project are codifying common secure development practices that all open source projects can follow. Even the U.S. government has gotten into the game, with the National Institute of Standards and Technology (NIST) creating a Secure Software Development Framework with practices that any organization selling software to the government must attest they follow (including for the open source software built into their applications). The U.S. government is now even offering “safe harbor” protections to organizations that can show they are following the secure software development practices outlined in the NIST framework.
See More: Top Software Development Challenges in 2023
One Problem: Most Maintainers Haven’t Been Looped in Yet
More than 50% of maintainers aren’t familiar with these new security standards initiatives at all. And of those who are aware of the standards, only 43% have already begun the work to ensure their projects follow those standards or plan to within the next year.
When we asked maintainers who do not plan to align their projects with these security standards to tell us why, the top reasons they shared were that they don’t have the time and are not being paid for the work.
As a whole, maintainers are stressed out, lonely, and underpaid. When we asked maintainers to describe what they dislike about their work, they identified the top four reasons as 1) stress, 2) not being financially compensated for their work, 3) loneliness, and 4) being asked to comply with requirements they don’t have time for.
In fact, almost 60% of maintainers have either already quit or considered quitting maintaining their projects, in part because of factors like these. The crisis of overworked, underpaid open source maintainers creates risk for all of our organizations.
How Can You Help?
These statistics should serve as a wake-up call for organizations dependent on open source. Against a backdrop of increasing software security vulnerabilities and increasing attention from industry and government on open source security, what can your organization do to help maintainers improve open source security?
One obvious answer is to ensure the open source maintainers behind the projects you rely on are being paid to follow a specific set of secure development practices. We asked both paid and unpaid maintainers whether they were following a set of standard best practices around security, maintenance, and documentation and paid maintainers were 20-30% more likely to follow these practices than unpaid maintainers.
In some cases the differences were stark. Paid maintainers were 26% more likely to provide fixes and recommendations for vulnerabilities and 27% more likely to have a security vulnerability disclosure plan. Paid maintainers were 30% more likely to have a reproducible and verifiable build process and 32% more likely to have a formal policy about backward compatibility.
Paid maintainers complete security and maintenance tasks more often than unpaid maintainers
Source: Tidelift
While there are several different ways now to funnel money to maintainers, you should focus on those that ensure maintainers have recurring income over time (so they can continue to adhere to these security standards not just now but into the future) and those that directly pay maintainers to achieve the sorts of security and maintenance outcomes your organization needs.
Another thing you can do is to get curious about where the open source code you depend on comes from. The more you understand about the source of your ingredients, the more you can do to ensure the maintainers and communities that help these projects thrive are able to continue their important work.
Every Open Source Project Is Unique
Not all open source projects are created (and maintained!) equally, and while some may have extensive corporate backing already, other important projects may be maintained by a solo maintainer who is looking for additional help beyond money. Some projects are seeking co-maintainers, help with documentation or a number of other important tasks. Perhaps your organization could even get involved in contributing code or recruiting contributors to the projects you depend on most to make them even more valuable.
Open source has become the de-facto development platform for modern applications, and it’s not going away anytime soon. So those of us who rely heavily on it for our own success will only benefit if we can create the right set of incentives for the maintainers behind the important open source projects we use every day to keep doing their important work into the future.
How are you tackling the security challenges of your open source software projects? Share with us on Facebook, Twitter, and LinkedIn. We’d love to know!
Image Source: Shutterstock
