Security pundits call for responsible consumption of open source software


The Open Source Security Foundation (OpenSSF) has released a manifesto seeking to “prioritize secure consumption of open source components.”

ADVERTISEMENT

Research by security company Sonatype released at the end of last year demonstrated that, in many cases, the problems that arise from relying on open-source software can be avoided. For example, an astonishing 96% of open source JAVA downloads with publicly-known vulnerabilities could have been avoided. However, despite the fact that a patched version existed, consumers ignored it and downloaded the flawed software versions anyway.

And it turns out that this true even with famous vulnerabilities like Log4j. According to OpenSSF, 22% of Log4J downloads in the last week were vulnerable versions. As a matter of fact, just last month, software developers consumed hundreds of thousands of vulnerable versions of Log4j.

“OSS [open-source software] is a valuable public good. As such, it has provided tremendous gains in efficiency and innovation. Not all OSS is equal. For example, some projects may not be well-maintained. Others lack secure software development standards. Even in the best cases, risk still exists. OSS isn't altogether different from most software; it has defects. Yet, many (most) organizations have no approach or strategy of consumption of OSS,” OSSF noted in the foreword of the manifesto.

The organization sees a problem in how users consume open source products, and “no amount of incidents like Log4Shell or the next headline will change this.”

In essence, the Open Source Consumption Manifesto calls for what we could call a mindful utilization of open source software. It means that organizations should not only download secure versions but also be aware of the discourse that surrounds open source projects. For example, commercial and non-commercial organizations alike should recognize the risks associated with open source software and be aware that not all vulnerabilities are actively curated.

You can read more about best practices and sign the Manifesto here.

ADVERTISEMENT