Latest report on security and sustainability of Open Source

The latest survey of over 1200 contributors provides recommendations for more secure Open Source Software

Published on: 21/12/2020

A new report on a survey of over 1,200 Open Source contributors has been published as a part of a bigger research on improving security and sustainability of Open Source Software.

What are the most urgent issues related to Open Source security and maintenance? How to improve reliability of the most important Open Source projects that are cornerstones of the modern digital infrastructure? These are some of the questions that the researchers from The Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) were trying to answer in their latest "Report on the  2020 FOSS Contributor Survey".

The survey researched several factors related to Open Source Software contributors: demographics, motivations, pay, time engagement, needed support, their current security-related activities and education and training provided. These issues are important for both private and public sector as vulnerabilities of Open Source projects pose an equal threat for diverse stakeholders and the report author's present some solutions that can mitigate these risks.

The key insights of the report include:

  • Open Source Software developers are usually employed full-time (almost ¾ of the respondents of this survey) and over half of them are paid for developing Open Source Software. As they indicated in their responses, the three most important motivations for contributing to Open Source projects are non monetary - those include developing a needed feature, enjoying learning and exercising creative, enjoyable work. This means that, according to the report, there has to be more support for learning processes for new contributors such as free courses and best practices sharing, balancing creative and mundane tasks, but also financial aid not only in terms of payment to the contributors, but also in a form of security audits, computing resources and travel.
  • There is a need for support and funding to increase security of Open Source Software, because as indicated by the survey, only 2.27% of the time spent on contributing to Open Source is spent on responding to security issues. In order to mitigate security issues, regular security audits should be funded, secure software development practices implemented and security training provided for employees. Other methods include badging and mentoring programs, incorporating security tools and automated tests as and integral part of the development process.
  • Governance of Open Source Software projects is crucial. While there is more involvement from the private sector in supporting their employees contributing to Open Source Software, there is a need for greater transparency and long-term commitment to supporting crucial projects. Transferring projects to a neutral governance of a foundation is indicated as a good way to ensure their stability and sustainability.
  • Over 45% of employees are allowed to freely contribute to Open Source projects, compared to 35% ten years ago. However, the companies don't always have clear rules on such engagement and there should be more promotion of contributions to Open Source Software projects and clear guidelines for developers.

As Frank Nagle, the co-author of the report and an assistant professor at Harvard Business School said “A lot of the solutions to the problems that are identified require a multi-organisation level of involvement.” - and this multi-stakeholder approach requires companies, individual developers, public sector, foundations and independent organisations to work together for more secure and robust Open Source Software projects that are crucial for the digital infrastructure used by all these actors equally.

The report on the survey is complementary to the “CII Census II Preliminary Report — Vulnerabilities in the Core” published in February 2020.