A month later, companies are still struggling to identify which applications in their enterprise stacks are dependent on Log4j - the vulnerable Java library that can facilitate remote code execution unless it’s fully patched up to the latest version. It’s already been linked with a number of cyber attacks on businesses, including a cross-platform ransomware strain.
Google presented its ideas to those in attendance, including the Apache Software Foundation - the owner of the Log4j library. The company raised awareness of key issues in open source, including the very principles on which the community is built - including the assumption that because many eyes are always on a project, maintaining and updating it regularly, it therefore must be safe.
In Google's view, many projects that are widely in use are, in fact, not regularly maintained, with many relying on just a few individuals to maintain projects on an ad hoc, volunteer basis. In other words, it would be naive to assume that anything with myriad GitHub downloads would be entirely safe to use. Log4Shell is a shining example of just that, and Heartbleed to name an earlier case.
Google recommended a number of proposals to tackle the glaring issues in open source, chief among these being the creation of an open source maintenance marketplace between the public and private sectors. It would see volunteers from private companies, which rely on open source projects, matched to the projects that need to be maintained. It could potentially address a key injustice felt by members in the open source community whereby private companies profit from open source tools without contributing anything in return, either financially or in maintenance and innovation.
Cracks in open source
This specific grievance came to a head this week as a ‘vigilante developer’ purposefully sabotaged a number of hugely popular open source libraries out of spite towards big tech firms profiting off tools for which they pay nothing, as reported by our sister site TechRadar Pro.
Ten benefits of Oracle’s data management platform
Freedom from business constraints and manual IT tasks
In what was a particularly bad week for open source, its name was somewhat further dragged through the mud again when the maintainer of the Apache PLC4X libraries announced that he will no longer continue to update it for free. Recognising the money to be made from the work he puts into it, he will demand payment for any future efforts to maintain the libraries, subverting the very ideals of open source.
It’s not difficult to see why developers have decided to go rogue, though, and perhaps this uprising of sorts has been on the cards for some time. The private sector’s reliance on open source, and the profit it makes as a result, is just one of the many cracks in the community that threatens its prosperity.
Dries Buytaert, founder of Drupal and Acquia, has previously highlighted how open source relies on ‘privileged’ individuals to maintain the extensive array of libraries relied upon by so many businesses. Only a handful of developers with the experience, financial health, and willingness to maintain such projects are in existence, and they too have to pay their bills and forge free time for themselves.
It can be difficult for people in these positions to stay motivated, especially when communities turn toxic or their work receives no appreciation, in addition to the other well-documented open source sustainability issues at play. The drive to continue maintaining libraries is certainly an intrinsic one and pressures that threaten to weaken the enjoyment of open source maintenance simply wither that drive, adding to the personal sacrifice made by maintainers.
These issues filter down into the overall security of open source software and will doubtless lead to increasingly uglier events, like the ones witnessed this week. The value of fostering a strong and healthy culture cannot be understated, and it’s the reason why IBM-owned Red Hat has been so successful in recent years, its CEO Jim Whitehurst previously explained to IT Pro.
Mending the schism
Perhaps Google’s proposed open source maintenance marketplace may do much more than provide better support for open source projects, small and large. It seems many of the gripes that underpaid, under-appreciated maintainers hold relate to the absent contributions from the private sector, leaving them to do all the heavy lifting.
Having a centralised environment where private sector volunteers are seen to actively maintain the projects that are deemed valuable to digital supply chains has the potential to reinvigorate open source. But whether the private sector has the skills and experience to achieve this is another matter, Michael Isbitski, technical evangelist at Salt Security, explained to IT Pro.
“Unfortunately, many organisations beyond large enterprises still lack adequate application security testing expertise or tooling to accomplish this," he said. "Effective application security testing requires a combination of static analysis, dynamic analysis, fuzzing, and behaviour analysis in runtime which is costly and time-consuming.
“Many organisations will suppress found issues in third-party and open-source code since they have a hard enough time detecting, triaging, and remediating issues in their own code.”
Google is happy to commit resources to its proposed marketplace, but Google is Google - the Big Tech behemoth. It may not be feasible for smaller firms to allocate the people required, which could perhaps, in turn, diminish enthusiasm among larger firms to take the hit.
Moreover, it may not even be a case of convincing the private sector alone, as some argue it’s a global issue that requires the input from governments.
“This is not a US, or even a US and UK issue, but a global challenge that requires our immediate attention and expertise,” said Amanda Brock, CEO at OpenUK to IT Pro.
“Our collective focus is on an international collaboration across Software security, acknowledging the key role of open source… we must collaboratively consider how open source is funded and supported by global governments on a go-forward basis, based on the societal benefits it brings.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.