Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Open Source Software Returns to its Roots, Security Remains a Concern
By Donald Fischer, CEO and co-founder and
Luis Villa, general counsel and co-founder, Tidelift
Open source software and supply chain
security continued to garner considerable attention in 2023. The coming year
will see continued regulatory measures, the effects of AI on open source, and a
return-to-the-roots focus on both the original principles of open source and
the maintainers that keep it secure and resilient. In 2024, organizations will
need to adapt to this evolving landscape to safeguard their software supply
chains against emerging cyber threats and vulnerabilities.
Another Log4Shell-sized vulnerability leads organizations and government
to finally eliminate their open source blind spot. For many
years, there has been a blind spot within organizations when it comes to open
source software security. These organizations bring in open source packages
without knowing whether the maintainers of these packages follow the same
secure development practices the organization would require of their own code.
In 2024, the emergence of a new Log4Shell-scale vulnerability finally convinces
organizations that "nothing comes for free." They begin paying more attention
to their open source suppliers and start making the changes necessary to ensure
that the maintainers developing the code they rely on are properly incentivized
to do important security and maintenance work. Interestingly, the U.S. federal
government emerges as a leader of this effort and begins to invest in paying
for the security and maintenance work of open source maintainers.
New government security mandates around the world create a
confusing GDPR-like moment for open source security. As new
government security requirements emerge (like those required under M-22-18 and
White House Executive Order 14028 in the US and the Cyber Resilience Act in the
EU), confusion reigns for organizations and open source maintainers. The lack
of clear direction and conflicting incentives and penalties actually slows down
progress toward improving security outcomes intended to be served by the regulations.
Open source contributors fed up with corporate interests
exploiting open source start fighting back. After a period in which the
principles underlying the open source movement took a back seat, open source
contributors will rediscover open source's roots in the free software movement
and start fighting back against commercially controlled projects bending and
breaking open source principles in search of profits. Interestingly, by
revisiting the original core tenets of open source, organizations will begin to
once again reap the benefits of the model as it returns stronger than ever,
with new antibodies to protect it.
In 2024, we see the rise of dedicated open source product security
teams within organizations. As open source continues to expand
its footprint within commercial products, product security groups will begin
building out dedicated teams focused exclusively on the security of the open
source components that make up much of the source code in their products.
Intellectual property issues return as a primary concern in open
source. In part driven by the increasing attention on the provenance of
data used to train AI machine learning models, organizations return to paying
closer attention to IP issues with open source and the "legal technology"
patterns innovated by open source licenses.
Already
overwhelmed open source maintainers "cry uncle" as well intended, AI-generated
pull requests create a snowball of even more noise for them to deal with. Predictably,
the end result is even more frustrated maintainers, many of whom will quit
their maintenance work altogether, leading to more security risk for
organizations.
##
ABOUT THE AUTHORS
Donald Fischer is CEO and co-founder at Tidelift.
Previously, he was a product manager and executive at Red Hat, and an investor
and board member at over a dozen open source software startups.
Luis
Villa
is co-founder
and general counsel at Tidelift. Prior, he was a top open source lawyer
advising clients, from Fortune 50 companies to leading startups, on product
development and open source licensing.