When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Open sourceleaders recently called for permanent government funding to maintain open source projects.
Its true that maintaining open source projects is essential, and its true that maintainers are drastically underfunded.
Image Credit: Alpha Stock Images
Its also true that there are clear benefits to funding and government oversight.
Brian Fox is CTO at Sonatype.
Open source is not the problem… Open source software is essential in todays business environment.
Its also everywhere, in 80-90% of modern enterprise software.
They even collaborate with competitors in the process.
Sharing common basic tools benefits the talent pool and enables better innovation.
All these benefits are why we all fell in love with OSS in the first place.
Why is this happening?
For context, threat actors are becoming more sophisticated in their efforts to abuse open source ecosystems.
But the biggest reason for this rise in attacks is this: consumers are the problem.
The very people and enterprises consuming open source software are making incredibly poor decisions about what theyre downloading.
To understand this, we need only look back at one of the biggest open source vulnerabilities ever.
Such was the concern around the vulnerability that Apache fixed the issue in a matter of days.
Despite this, 30-40% of downloads are still of flawed versions more than 18 months later.
Theres no excuse for this.
Funding will not solve that.
That is not to say funding has no role to play at all.
E.coli outbreaks are the latter, whereas the former is more akin to peanut allergies.
So, what do we mean by malicious open source?
Malicious components are planted by bad actors to intentionally infect software with damaging code.
When detected, these are taken down immediately and flagged as harmful.
They certainly wouldnt be removed from the shelf!
This distinction is important because not all vulnerabilities are universally dangerous to everyone.
This was even true of the Log4Shell vulnerability.
Despite its criticality, there were specific conditions where it wasnt exploitable.
For instance, if it was running on a certain JVM, it could just sit there, inert.
Thats because, sometimes, there are mitigating controls, or the affected part of the software isnt active.
Its a weakness, notmalware.
This is how people should think about vulnerabilities within open source software.
Obviously, you cant avoid every vulnerability.
Any security professional knows that this shouldnt be a goal anyway.
These are the nuances people have to recognize to make intentional decisions.
We’ve featured the best open source CRM.
