The most popular and comprehensive Open Source ECM platform
Open Source: It’s Free, but is it Secure?
All Open Source code projects are not equal. Some projects are backed by huge businesses, like IBM/RedHat, MongoDB, and Elastic, many others have just one or two contributors. As a result, the quality of open source projects spans a huge spectrum.
An unfortunate truth is that many smaller open source projects have invested very little in the area of security. A recent survey by the Linux Foundation on the state of free and open source software (FOSS) found that, on average, open source developers spend about 2 percent of their time considering the security of their projects. Security is typically an afterthought or something not even considered.
The report found that “there is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors. Developers generally do not want to become security auditors; they want to receive the results of audits.”
Frank Nagle, a Harvard Business School professor, said that “although we did not specifically ask whether developers think security is important, they likely understand that is a concern, but believe others should deal with it.”
The reports suggests the following ways to improve security:
- Provide funding to audit critical FOSS projects and design the audits in ways to product specific changes that can be fixed to improve security.
- Rewrite FOSS project components with issues to be more secure.
- Make software best practices a priority.
- Companies that contribute to FOSS projects should train their developers on security best practices.
- Badging and mentor programs should be initiated to encourage good security practices.
- Projects should incorporate the use of security tools and automated tests.