“While the lack of funding in open source is certainly a problem, could funding have prevented the Log4j vulnerabilities?” asks Mike Melanson’s “This Week in Programming” column. “Would funding actually prevent similar vulnerabilities in the future…?”
In a blog post for the Linux Foundation’s Open Source Security Foundation (OpenSSF), Brian Behlendorf argued that open source foundations must work together to prevent the next Log4Shell scramble, outlining seven points that OSS foundations could do to mitigate security risks. Among those seven points — which include security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code — not once was funding mentioned. Rather, Behlendorf precedes these points by saying that “Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code.”
Behlendorf continues after his list of seven suggested acts with a section that boils everything down perfectly:
“None of the above practices is about paying developers more, or channeling funds directly from users of software to developers. Don’t get me wrong, open source developers and the people who support them should be paid more and appreciated more in general. However, it would be an insult to most maintainers to suggest that if you’d just slipped more money into their pockets they would have written more secure code. At the same time, it’s fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are in place, being done and paid for by someone else.”
Behlendorf does go on to make some points about funds and fundraising, but his point is less on the lack of funding than the allocation of those funds and how they need to be focused on things like paid audits and “providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests.”
Behlendorf says that, in the new year, the OpenSSF will be working to “raise the floor” for security in open source.
“The only way we do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than burdensome or bureaucratic,” he wrote. “We will be working with and making grants to other open source projects and foundations to help them improve their security game.”
Behlendorf was a founding member of the Apache Group, which later became the Apache Software Foundation.
So as a long-time member of the Open Source community, he calls the Log4j vulnerabilities “a humbling reminder of just how far we still have to go.”