Our great sponsors
-
wg-best-practices-os-developers
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
TL;DR: Is there any data to suggest that funding an Open Source project materially benefits the users of that project? If you know of any, please share!
This is a question that has been on my mind ever since Log4Shell. I want to know if funding could have an impact on preventing major vulnerabilities or if the issue is something else (lack of guidance for projects, too many cooks, rampant dev ADHD, etc).
It seems like a lot of people are talking about this[0][1] and how funding Open Source would help, but I'm concerned that it's simply wishful thinking that money alone would solve the problem. Sometimes reality is cruel like that.
Is it possible that more funding would help prevent the next Log4Shell or Heartbleed? Maybe! Or are we simply touting a solution, without any data, and our hubris could actually end up hurting security further by just having companies "wash their hands" of responsibility? If FAANG/Fortune 500 throws money over the fence at developers, how much of that money will actually translate into improving the Open Source software?
I personally believe that funding would _help_ with the security of Open Source software. And it would also help with documentation, support, and a number of other "health problems", all of which would likely help with security. But I'm also concerned that this could backfire too in spectacular ways (increased library proliferation to get funding, people pocketing it for a vacation, hackers targeting popular, dormant libs to harvest money from them, etc).
I'm not aware of any actual research/data to provide evidence around improving Open Source security. That's why I wanted to ask y'all. Hacker News is a pretty small community and I wouldn't be surprised if somebody from OpenSSF[2] chimed in to help answer this, lol.
Beyond funding, there are also some projects that I've found like CHAOSS[3][4] that seem to be thinking about quantifying risk for Open Source dependencies and other problems like the "bus factor". It doesn't matter if you fund a project if the dev behind it MIA.
If this data doesn't exist, then it's something that I'll likely start investing my time into generating. (I'm working on some Open Source tooling for dealing with managing dependency security[5] that follows up the Log4Shell tooling we also built[6], which is why this has been on my mind a lot recently.)
Anyway, if you're interested in brainstorming about this further, please shoot me an email (on my profile). Cheers!
0: https://www.wsj.com/articles/protect-open-source-software-prevention-oss-public-use-cybersecurity-innovation-cyberattack-apache-log4j-11643316125
1: https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/
2: https://openssf.org/
3: https://chaoss.community/
4: https://chaoss.community/wp-content/uploads/2021/10/English-Release-2021-10-21.pdf
(Search for "Business Risk" or use the Nav to find the section about how they're attempting to measure the security of Open Source packages)
5: https://github.com/lunasec-io/lunasec/tree/master/lunatrace
(This is under active development and is something that is a week or two away from being polished enough for serious usage.)
6: https://github.com/lunasec-io/lunasec/tree/master/lunatrace/cli/cmd/log4shell
TL;DR: Is there any data to suggest that funding an Open Source project materially benefits the users of that project? If you know of any, please share!
This is a question that has been on my mind ever since Log4Shell. I want to know if funding could have an impact on preventing major vulnerabilities or if the issue is something else (lack of guidance for projects, too many cooks, rampant dev ADHD, etc).
It seems like a lot of people are talking about this[0][1] and how funding Open Source would help, but I'm concerned that it's simply wishful thinking that money alone would solve the problem. Sometimes reality is cruel like that.
Is it possible that more funding would help prevent the next Log4Shell or Heartbleed? Maybe! Or are we simply touting a solution, without any data, and our hubris could actually end up hurting security further by just having companies "wash their hands" of responsibility? If FAANG/Fortune 500 throws money over the fence at developers, how much of that money will actually translate into improving the Open Source software?
I personally believe that funding would _help_ with the security of Open Source software. And it would also help with documentation, support, and a number of other "health problems", all of which would likely help with security. But I'm also concerned that this could backfire too in spectacular ways (increased library proliferation to get funding, people pocketing it for a vacation, hackers targeting popular, dormant libs to harvest money from them, etc).
I'm not aware of any actual research/data to provide evidence around improving Open Source security. That's why I wanted to ask y'all. Hacker News is a pretty small community and I wouldn't be surprised if somebody from OpenSSF[2] chimed in to help answer this, lol.
Beyond funding, there are also some projects that I've found like CHAOSS[3][4] that seem to be thinking about quantifying risk for Open Source dependencies and other problems like the "bus factor". It doesn't matter if you fund a project if the dev behind it MIA.
If this data doesn't exist, then it's something that I'll likely start investing my time into generating. (I'm working on some Open Source tooling for dealing with managing dependency security[5] that follows up the Log4Shell tooling we also built[6], which is why this has been on my mind a lot recently.)
Anyway, if you're interested in brainstorming about this further, please shoot me an email (on my profile). Cheers!
0: https://www.wsj.com/articles/protect-open-source-software-prevention-oss-public-use-cybersecurity-innovation-cyberattack-apache-log4j-11643316125
1: https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/
2: https://openssf.org/
3: https://chaoss.community/
4: https://chaoss.community/wp-content/uploads/2021/10/English-Release-2021-10-21.pdf
(Search for "Business Risk" or use the Nav to find the section about how they're attempting to measure the security of Open Source packages)
5: https://github.com/lunasec-io/lunasec/tree/master/lunatrace
(This is under active development and is something that is a week or two away from being polished enough for serious usage.)
6: https://github.com/lunasec-io/lunasec/tree/master/lunatrace/cli/cmd/log4shell
Related posts
- Guys, I taught ChatGPT to browse the internet and it is bloody amazing.
- Malicious Python Packages Replace Crypto Addresses in Developer Clipboards
- Ignore 98% of dependency alerts: introducing Semgrep Supply Chain
- Ask HN: How do you deploy your weekend project in 2022?
- Cdk8s: CNCF-Backed Infrastructure-as-Code (IaC) for Kubernetes