Virtualization Technology News and Information
Article
RSS
Tidelift 2024 Predictions: Open Source Software Returns to its Roots, Security Remains a Concern

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

Open Source Software Returns to its Roots, Security Remains a Concern

By Donald Fischer, CEO and co-founder and Luis Villa, general counsel and co-founder, Tidelift

Open source software and supply chain security continued to garner considerable attention in 2023. The coming year will see continued regulatory measures, the effects of AI on open source, and a return-to-the-roots focus on both the original principles of open source and the maintainers that keep it secure and resilient. In 2024, organizations will need to adapt to this evolving landscape to safeguard their software supply chains against emerging cyber threats and vulnerabilities.

Another Log4Shell-sized vulnerability leads organizations and government to finally eliminate their open source blind spot. For many years, there has been a blind spot within organizations when it comes to open source software security. These organizations bring in open source packages without knowing whether the maintainers of these packages follow the same secure development practices the organization would require of their own code. In 2024, the emergence of a new Log4Shell-scale vulnerability finally convinces organizations that "nothing comes for free." They begin paying more attention to their open source suppliers and start making the changes necessary to ensure that the maintainers developing the code they rely on are properly incentivized to do important security and maintenance work. Interestingly, the U.S. federal government emerges as a leader of this effort and begins to invest in paying for the security and maintenance work of open source maintainers. 

New government security mandates around the world create a confusing GDPR-like moment for open source security. As new government security requirements emerge (like those required under M-22-18 and White House Executive Order 14028 in the US and the Cyber Resilience Act in the EU), confusion reigns for organizations and open source maintainers. The lack of clear direction and conflicting incentives and penalties actually slows down progress toward improving security outcomes intended to be served by the regulations.

Open source contributors fed up with corporate interests exploiting open source start fighting back. After a period in which the principles underlying the open source movement took a back seat, open source contributors will rediscover open source's roots in the free software movement and start fighting back against commercially controlled projects bending and breaking open source principles in search of profits. Interestingly, by revisiting the original core tenets of open source, organizations will begin to once again reap the benefits of the model as it returns stronger than ever, with new antibodies to protect it.

In 2024, we see the rise of dedicated open source product security teams within organizations. As open source continues to expand its footprint within commercial products, product security groups will begin building out dedicated teams focused exclusively on the security of the open source components that make up much of the source code in their products.

Intellectual property issues return as a primary concern in open source. In part driven by the increasing attention on the provenance of data used to train AI machine learning models, organizations return to paying closer attention to IP issues with open source and the "legal technology" patterns innovated by open source licenses.

Already overwhelmed open source maintainers "cry uncle" as well intended, AI-generated pull requests create a snowball of even more noise for them to deal with. Predictably, the end result is even more frustrated maintainers, many of whom will quit their maintenance work altogether, leading to more security risk for organizations

##

ABOUT THE AUTHORS

Donald Fischer is CEO and co-founder at Tidelift. Previously, he was a product manager and executive at Red Hat, and an investor and board member at over a dozen open source software startups.

Donald Fischer 

Luis Villa is co-founder and general counsel at Tidelift. Prior, he was a top open source lawyer advising clients, from Fortune 50 companies to leading startups, on product development and open source licensing.

Luis Villa 

Published Tuesday, December 05, 2023 7:37 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2023>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456