Getty Images

Small open source projects pose significant security risks

Open source security initiatives might prevent large-scale vulnerabilities such as Log4j, but smaller projects pose risks without more maintainer support, industry experts say.

Open source continues to come of age with stronger institutional backing and increased financial support for maintainers. But developers on smaller projects are often unpaid, which carries security risks when they leave or defect, according to industry experts.

Open source software had a resurgence in the 1980s as a reaction against corporate attempts to control software. Now open source repository GitHub, which started development in 2007 with bootstrapped funding, has $1 billion in annual recurring revenue, according to Microsoft's first-quarter fiscal year 2023 earnings call in October. Microsoft acquired GitHub in 2018 for $7.5 billion.

But alongside success is the specter of vulnerabilities such as 2021's Log4j, which allowed hackers to exploit systems and services that used the Java logging library. As a result, a bipartisan bill called the Securing Open Source Software Act, introduced in the U.S. Senate in September, aims to enact federal legislation to help prevent such vulnerabilities.

While acts such as this develop risk frameworks for open source software that the federal government uses, they might not counter the effects of maintainers who abandon or deliberately sabotage their own projects, which can result in malware injection and nonworking applications. In addition to legislation and corporate support, the elusive solution to open source security could lie in more financial support -- especially for smaller projects, according to industry experts.

There's a chunk of people who are maintaining vital -- and heavily depended-on -- left-pad-type projects with little recognition, which might cause similar problems if they go offline.
David Gray WidderDoctoral student, Carnegie Mellon University

Changes to small open source projects can wreak havoc on the larger ecosystem. For example, in 2016, thousands of projects including Node and Babel were unable to run correctly when one developer unpublished his 17-line open source NPM package called left-pad.

"There's a chunk of people who are maintaining vital -- and heavily depended-on -- left-pad-type projects with little recognition, which might cause similar problems if they go offline," said David Gray Widder, a doctoral student at the Carnegie Mellon University School of Computer Science.

In addition to abandoned projects, deliberate sabotage adds more unpredictability to the mix. For example, in January, developers sabotaged their own faker.js and colors.js projects with anti-corporate messages to protest the lack of funding for projects, and in May, developers vandalized an NPM package to protest the Ukraine war.

More such disasters might be waiting in the wings. "The thing is, it is hard to know where or what they are, until something breaks," Widder said.

Community backing can prevent issues

Left-pad was the work of a single developer, which made the NPM vulnerable because it allowed one person to unpublish the project. But most projects rely on more than one leader or maintainer, said P.J. Hagerty, developer advocate and senior staff engineer at Spotify.

"The communities who use these tools and things built by open source maintainers, they often come in to support anything they find useful," he said. "Which ensures a project can live even if the original maintainers or creators fade away."

The Ruby on Rails framework, released in 2004, is one example of how the community has stepped up, Hagerty said. Most of the original core team members have left or are busy with other projects, yet the community at large continues to maintain the framework, he said. Ruby enthusiasts consider it one of the best programming languages for web development, although it is declining in popularity. Only 5.83% of 70,000 developers surveyed in Stack Overflow's 2022 Developer Survey reported that they have performed extensive development with Rails in the last year.

But some smaller projects lack community support, which opens them up to security concerns when maintainers leave. Maintainers disengage from their projects for a variety of reasons, including frustration when companies use a developer's work for free, loss of interest, lack of time or lack of support from peers, Widder said.

"This may suggest that volunteers who might not have the luxury of working on open source projects during company time feel especially unsupported, which may lead to disengagement," he said.

Institutional support taking shape

While some projects are losing traction or failing to attract fresh interest and volunteers, companies that depend on open source projects often offer financial or engineering assistance to shore things up, said Charles King, analyst at Pund-IT. For example, companies such as Microsoft, Google and Red Hat support open source projects with thousands of actively contributing employees.

In addition to corporate support, groups help move funds toward individual developers and projects, including Ruby Together, a nonprofit organization that pays developers who work on Ruby infrastructure projects, and the Python Software Foundation, a nonprofit that offers grants for Python-related projects. A relative newcomer is Tidelift, which pays developers to validate open source software. Tidelift is gaining traction, with $73.5 million in venture capital funding received since its 2017 inception.

While companies such as Tidelift are promising, more is needed to ensure open source security for smaller projects with community-led initiatives, according to Widder.

"It would be good to recognize open source as digital infrastructure, and fund it publicly -- for example, the way governments subsidize broadband or other infrastructure," Widder said.

But there's no easy answer to open source security because of its unique nature, King said.

"Open source has always been on the brink due to it working in ways that contradict or even defy conventional wisdom," King said. "That was the case from the earliest days of Linux development, and for years afterward when open source projects challenged and often supplanted proprietary technologies and platforms. Until something better comes along, I expect things will continue to proceed and progress this way."

Dig Deeper on Software design and development