Virtualization Technology News and Information
Tidelift 2023 Predictions: Open Source Software Supply Chain Security Takes Center Stage for Government and Industry


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

Open Source Software Supply Chain Security Takes Center Stage for Government and Industry

By Donald Fischer, co-founder and CEO of Tidelift

As software supply chain attacks and vulnerabilities become more common place both industry and government agencies are taking note and realizing that the software supply chain needs to be addressed. The coming year will see more parties paying attention, new strategies being developed to ensure resilience and software maintainers asking for compensation for this important work.

Log4Shell was a warning shot

In the wake of the Log4Shell vulnerability, many reports have indicated that very little actual data was breached. While this is good news, it is important for organizations to see Log4Shell as a call to action to be prepared for future vulnerabilities that could invariably have a major impact on the business. The new year will also see recognition that attacks are not just on businesses but could very well have a societal impact with things like water supplies, electric grids, election security, and other critical infrastructure becoming targets.

The shine on SBOMs starts to fade as leaders recognize they are not a silver bullet 

Software Bills of Materials (SBOMs) play an important role in securing the open source software supply chain but by themselves they are not enough or the complete answer to managing and securing the supply chain.  In the new year, we will see the SBOM conversations move past the basic "ingredients list" discussion to SBOMs as a part of a larger strategy for improving the resilience of the software supply chain. 

New stakeholders are concerned with open source software supply chain security

Conversations around the risks to open source supply chain security have moved beyond just security teams and now have become conversations within the overall business leadership and in the boardroom. Due to increased attention spurred on by the White House Executive Order and several other industry-wide initiatives, the coming year will see "new players" interested in supply chain security-in government, finance, critical infrastructure, and more. 

Open source software maintainers-appropriately-push back

In 2022, against a backdrop of rising software supply chain attacks-most notably Log4Shell- industry and government leaders launched a series of initiatives to improve open source software security.

In 2023, we will see even more open source maintainers beginning to push back against the new requirements coming out of these initiatives. Why? Because many of them see these requirements as an "unfunded mandate," a request for them to do additional work without being compensated for it. 

According to last year's open source maintainer survey, the vast majority of maintainers are volunteers, with 45% of them earning nothing for their work and over 70% earning less than $1000 per year. Adding additional responsibilities when maintainers are already overworked is not going to go over well. 

So in 2023, we will also see more maintainers requesting compensation, saying no to the work, or even in some cases abandoning their projects or staging protests. Smart organizations will recognize-and react to overcome-this work/compensation imbalance in order to ensure the continued resilience of the software they depend on. We'll also start to see a clearer distinction between professional open source maintainers willing and able to do this-for pay, and those who are hobbyists by choice and choose to ignore it. 




Donald Fischer is co-founder and CEO of Tidelift. Previously he was a venture partner at General Catalyst, a member of the investment team at Greylock Partners, and an executive at Typesafe (now Lightbend) and Red Hat. He holds a BS in economics and computer science from Yale University, an MS in computer science from Stanford University, and an MBA from Columbia Business School.

Published Tuesday, December 06, 2022 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2022>