Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Open Source Software Supply Chain Security Takes Center Stage for Government and Industry
By Donald
Fischer, co-founder and CEO of Tidelift
As software supply chain
attacks and vulnerabilities become more common place both industry and
government agencies are taking note and realizing that the software supply
chain needs to be addressed. The coming year will see more parties paying
attention, new strategies being developed to ensure resilience and software
maintainers asking for compensation for this important work.
Log4Shell was a warning
shot
In the wake of the
Log4Shell vulnerability, many reports have indicated that very little actual
data was breached. While this is good news, it is important for organizations
to see Log4Shell as a call to action to be prepared for future vulnerabilities
that could invariably have a major impact on the business. The new year will
also see recognition that attacks are not just on businesses but could very
well have a societal impact with things like water supplies, electric grids,
election security, and other critical infrastructure becoming targets.
The shine on SBOMs
starts to fade as leaders recognize they are not a silver bullet
Software Bills of
Materials (SBOMs) play an important role in securing the open source software supply
chain but by themselves they are not enough or the complete answer to managing
and securing the supply chain. In the new year, we will see the SBOM
conversations move past the basic "ingredients list" discussion to SBOMs as a
part of a larger strategy for improving the resilience of the software supply
chain.
New
stakeholders are concerned with open source software supply chain security
Conversations
around the risks to open source supply chain security have moved beyond just
security teams and now have become conversations within the overall business
leadership and in the boardroom. Due to increased attention spurred on by the
White House Executive Order and several other industry-wide initiatives, the
coming year will see "new players" interested in supply chain security-in
government, finance, critical infrastructure, and more.
Open source software
maintainers-appropriately-push back
In 2022, against a
backdrop of rising software supply chain attacks-most notably Log4Shell-
industry and government leaders launched a series of initiatives to improve
open source software security.
In 2023, we will see even more open source maintainers beginning to push back
against the new requirements coming out of these initiatives. Why? Because many
of them see these requirements as an "unfunded mandate," a request for them to
do additional work without being compensated for it.
According to last year's
open source maintainer survey, the vast majority of maintainers are volunteers,
with 45% of them earning nothing for their work and over 70% earning less than
$1000 per year. Adding additional responsibilities when maintainers are already
overworked is not going to go over well.
So in 2023, we will also
see more maintainers requesting compensation, saying no to the work, or even in
some cases abandoning their projects or staging protests. Smart organizations
will recognize-and react to overcome-this work/compensation imbalance in order
to ensure the continued resilience of the software they depend on. We'll also
start to see a clearer distinction between professional open source maintainers
willing and able to do this-for pay, and those who are hobbyists by choice and
choose to ignore it.
##
ABOUT THE AUTHOR
Donald Fischer is co-founder and CEO of Tidelift. Previously he
was a venture partner at General Catalyst, a member of the investment team
at Greylock Partners, and an executive at Typesafe (now Lightbend) and Red
Hat. He holds a BS in economics and computer science from Yale University, an
MS in computer science from Stanford University, and an MBA from Columbia
Business School.