It takes a community: Responding to open source criticism post-Log4Shell
December 24, 20210 mins read
The last week has been a wild ridefor just about everyone in the technology world due to the public disclosure of the Log4Shell vulnerability. As a developer security company, Snyk has built our business around proactive automation to identify and fix security issues in applications. To say we’ve been busy this week would be an understatement.
With that being said, however, one of the narratives we've seen over this past week in relation to Log4Shell is that open source is fundamentally broken: there aren’t enough contributors to build "reliable" software, there aren’t enough security checks, and there isn’t enough funding to ensure open source software is sustainable.
And while there is some merit to these claims, we wholeheartedly disagree with the idea that open source is broken. Open source is awesome. It’s what drives the development community forward, what allows us to “stand on the shoulders of giants”, and quite frankly, open source means we can act as a community to keep them secure – something that isn’t possible with closed source software.
To linger on that last point for a moment, open source is built on community. When an urgent security issue arises in open source, the community can work together to resolve it, to share the fix broadly, and to evaluate how widespread it is. While vulnerabilities are never good, they’re an opportunity for the open source community to strengthen its protocols and practices. When a community of millions comes together, it can do amazing things — like resolve a 10.0 zero-day!
Is open source perfect? Absolutely not: there are real funding issues, contribution imbalances, security issues, etc., but all of these things can be rectified by people like you and me. With open source, everyone can do something about it!
Problems in open source today
Let’s examine some of the problems in open source that have been called out by others in recent weeks:
Open source software needs funding.
Open source software needs more contributors to provide review, enhancements, etc.
Open source software doesn’t take security seriously.
Open source software needs funding
This is absolutely true! As Christine Dodrill points out in her recent article, the `log4j` library (used by countless Java applications) had three paid sponsors before the Log4Shell vulnerability elevated the awareness of the situation.
This is a real problem. Open source libraries that people rely on often need funding in order to ensure maintainers have enough time to dedicate towards fixing issues and ensuring the stability and security of their applications.
Similar to Log4j, before the Heartbleed vulnerability was announced, the OpenSSL project was maintained by two people with a combined budget of ~$2,000 USD per year. This was not nearly enough resourcing for such a critical piece of internet infrastructure.
Open source software needs more contributors
While many well-known projects do have a number of contributors, many critical open source libraries are often built by a small number of people which means there’s always a risk that bugs aren’t fixed in a timely manner, unmitigated security issues crop up, or maintainers simply move onto other projects leaving a void in maintenance.
For example, the curl tool and library which have been widely used since 1998 to fetch data was maintained by a single person for many years!
Open source doesn’t take security seriously
This one has been said a lot recently. While it’s true that open source has its fair share of security vulnerabilities, many experts believe that open source software has a variety of benefits over proprietary software when it comes to security. Furthermore, as recent events have shown, when security vulnerabilities do crop up, the open source community generally finds ways to get things fixed, even with limited funding and contributors.
The larger issue is that most developers (regardless of whether they work on open source or not) don’t have the necessary security knowledge, training, and tooling to effectively “take security seriously.” Our 2019 State of Open Source Security Report found that only three in ten open source maintainers considered themselves to have “high security knowledge.”
This isn’t a fault of open source developers, this is a failure of the entire developer ecosystem: security has been an offshoot of the industry for as long as I can remember, whereas if we want to build more reliable, secure software, we need for security to become a core part of the software development process:
Security tooling needs to be a part of every developer’s toolkit (just like an IDE or editor).
Security alerts need to be relevant, meaningful, and high-value (having false or low-value alerts is a painful distraction).
Security needs to be well-integrated into developer workflows and tools (CI/CD pipelines, code review processes, etc.).
Security needs to be taught in computer science programs and included as core parts of the educational curriculum.
What’s great about open source today
Now that we’ve discussed some of the core complaints people have with open source, let’s talk about some of the positives.
Open source is thriving
There are more open source developers today than ever before. GitHub wrote a fantastic article back in 2018 detailing the number of open source developers on their site after they hit 100 million repositories.
At the time, GitHub reported that they had 31 million combined developers from nearly every country in the world collaborating across 1.1 billion contributions.
There has also been a substantial increase in the amount of first time open source contributors: in 2019 GitHub saw almost 2 million first-time contributors and just two years later (in 2021) that number has ballooned to over 3 million.
The short of it is: there are a lot of developers working on (and contributing to!) open source projects across the globe.
Open source is the foundation for… just about everything
Regardless of how you feel about open source, its impact on the modern world is unquestionable. Open source is the foundation for just about every major business, application, and project that’s been built in the last 20+ years.
Imagine building a web application today without relying on an open source web framework (like Django), or building a desktop application without at least a handful of open source libraries. It’s almost unimaginable for a developer.
Like it or not, open source is being used everywhere from the smallest hobby projects to the most massive web applications on the planet (and off the planet, as well!). One report found that 98% of all code bases rely on open source software. The world runs on open source.
Open source funding is being worked on
Despite the (very real) fact that many open source projects are desperately in need of funding, there are lots of initiatives and social change addressing these issues.
For example, as of today, there are now 105 sponsors of Ralph Goers, lead maintainer for the Log4j project. While it would have been nice for this funding pre-Log4Shell, the community recognized the issue and many individuals and organizations have stepped up to provide funding where it is needed. This is a great example of the community coming together to help solve a problem.
Foundations, like The Linux Foundation (The Apache Foundation, The Python Foundation, etc.), offer lots of resources to open source projects that need help (both financial and otherwise). While there’s still lots of work to be done here, these organizations are making a direct impact on high-value open source projects, helping to ensure they have adequate funding, resourcing, and visibility.
The same is true for many companies: there are lots of organizations that either directly (or indirectly, via employee time) support open source projects to help address their needs. The list is far too large to fit into a blog post, but most of the large tech firms are funding open source in one way or another.
Open source security is improving, quickly
As I mentioned before, open source security isn’t an easy thing to address in isolation, as security is a gap across the industry, impacting both open source and closed source applications equally.
The good news is that open source security is quickly improving. This is due to a lot of factors:
Over the last 10 years, there has been an uptick in cybersecurity interest.
Cybersecurity spending, worldwide, has nearly doubled over the last four years alone.
Open source developers now have access to powerful, free services to help detect and remediate security issues (like Snyk, which is 100% free for open source project usage).
There are organized efforts amongst organizations like the OpenSSF (The Open Source Security Foundation) that are specifically dedicated towards securing all open source projects.
There is an ever increasing amount of free security education resources available to help teach developers (and others!) how to build applications securely, whether open source or not.
How to make open source better
The truth of the matter is this: open source is never going to be perfect (nothing is!). It’s up to us (as community members) to leave things better than we found them, and help improve the state of open source.
There’s an old Greek proverb that states: “A society grows great when old men plant trees whose shade they know they shall never sit in.” While this proverb is certainly true for societies at large, we, as a technology community, can both plant trees and sit in their shade due to the quickness of technology.
Below are my suggestions for how you can personally make open source a little bit better:
Consider donating money to your most used open source projects to support their maintainers. You can do this via GitHub Sponsors, OpenCollective, or any number of other ways.
Contribute time to open source projects you build on top of. For example, if you’re building a web application in Django and add a new, useful feature, try contributing it upstream to the project! Getting involved in open source development may not be as hard as you think!
Use free security tooling likeSnyk to help identify and fix security issues in your projects. Tools like Snyk allow you to:
Scan your code repositories for vulnerabilities and alert you automatically when new issues are discovered
Instantly fix a number of common vulnerabilities and help you keep dependencies up-to-date
Plug directly into your IDE to help detect security issues before they’re ever pushed to your repository
Scan containers and infrastructure configurations to ensure your infrastructure is secure
Plug into CI/CD pipelines to ensure critical security issues are caught before going live
Finally, when bad things do happen (like critical security vulnerabilities), don’t panic. There’s no way to build perfectly secure software: new attack vectors and techniques will always be developed, and even code that is considered perfectly secure today may not be next year.
The best thing you can do is take a deep breath and address urgent issues as they arise while keeping a level head. And… Don’t forget to keep in touch with the community! Share your knowledge and best practices with your peers – it helps make everyone better.
I, for one, am thankful for the entire open source community and all of the amazing people that are part of it (including you!). I know that things can seem bad at times, but just remember that progress is being made, things are getting better, and youcan directly make a positive impact!