Open source security's systemic challenges

Open source security has taken on new importance in the post-Log4Shell era. While security practices are starting to change, Emily Fox, senior principal software engineer at Red Hat and chair of the Technical Oversight Committee of the Cloud Native Computing Foundation, said systemic change is still needed.

This includes modernizing traditional open source projects and libraries, according to Fox.

"To date, I have not found a good practice by existing foundations or bodies to bridge that gap, to provide that security expertise and to kind of be the partner in bringing some of those more heritage projects within the ecosystem to modern security standards and expectations," she told TechTarget Editorial's Beth Pariseau in Episode 8 of IT Ops Query: Tech's Tragedy of the Commons.

Part of the challenge has to do with a gap in cybersecurity skills needed to integrate existing materials, resources and guidance into projects. But it also has to do with the lack of a deep bench for traditional projects, where individuals could be identified and taught programming language skills to ensure next-generation maintenance, Fox said.

Plus, open source project communication tends to move in one direction: from developer to maintainer or from pull requests to maintainer, Fox said. More bi-directional communication could create better experiences with open source software, including better security. She suggested that maintainers consider identifying and using the skills of people that open pull requests and that enterprise users must also understand their responsibility to give back to the open source community by sharing their experiences.

"While open source may be free, it's free like a puppy. And that means not only do you have to do the work for integration into your environment, you are also expected to contribute back to the projects your lessons and learnings from that integration to assist others," Fox said.

Stronger open source security requires modernizing not just traditional projects but practices as well. Security's relationship with open source initially had less to do with reacting to specific situations and more to do with establishing trust in the community overall, she said. That changed with the onset of cyberattacks such as SolarWinds, but the actual practices for vulnerability management and technology controls didn't. That means security operates today much the same as it did 50 years ago despite significant technology changes. Security professionals are reevaluating, which will likely lead to "a new wave of innovation," Fox said.

Nicole Laskowski is a senior news director for TechTarget Editorial. She drives coverage for news and trends around enterprise applications, application development and storage.

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.