How to make open source software more secure

Earlier this year, a Microsoft developer uncovered a backdoor in the code of XZ Utils, a widely used open-source utility in Linux operating systems. The breach, executed by a contributor known as JiaT75, began two years prior and has been described as a “nightmare scenario” and one of the best-executed supply chain attacks to date. This incident, alongside other vulnerabilities like Heartbleed, Shellshock, and Log4j, underscores the security risks inherent in open-source software, which is foundational to modern software systems.

Bogomil Balkansky of Sequoia Capital, Aeva Black from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Luis Villa of Tidelift recently discussed these challenges. Black likened open source to a puppy: “If you don’t feed it, it will eat your furniture.” Open source is crucial yet underfunded, with Balkansky noting that its business model remains a work in progress.

The question of responsibility and funding for securing open source remains contentious. Villa’s Tidelift suggests compensating maintainers to fix vulnerabilities. Meanwhile, CISA is actively engaging with the open-source community, promoting best practices for secure deployment. Black emphasized the importance of viewing open source as a public good and ensuring better engagement to reduce the burden on volunteer maintainers.

Future solutions require layered defenses, or “defense in depth,” as Villa highlighted. Balkansky added that open-source security solutions should also adopt open-source principles, though there are no “silver bullets.” Additionally, Black stressed the need for tools to help software builders identify the open-source components within their products.

Securing open-source software demands a collaborative, multi-faceted approach that balances community engagement, funding, and innovative practices to safeguard its critical role in the global software ecosystem.