Insights from OSS Summit 2022: SBOMs, Critical Infrastructure

Russ Andersson: COO & CRO, RapidFort Inc.

Russ Andersson: COO & CRO, RapidFort Inc.

Open source has clearly become a “must-have” for any online organization. Requirements and expectations for safety and security are at a turning point. Speakers at last month’s Open Source Summit (OSS) in Austin, TX, held by the Linux Foundation, defined important considerations for developers and security professionals that warrant further discussion.  Security was a key theme in many sessions.

The conference keynotes included Google’s Vice President of Infrastructure, Eric Brewer, who said that the battle for open source software (OSS) has been won—it’s become part of critical global infrastructure, and needs to be worthy of worldwide trust. The risk, he says, is that some organizations may not want to use open source at all if they can’t ensure that the application’s they’re running are secure.

Given the critical nature of OSS and coming regulatory pressures, open source project developers must come together as a community. Large consumers, like enterprises, need to give back to these communities. On the other hand, OSS project maintainers need to consider paid code curation and long-term maintenance. Large consumers need to pay for that curation and maintenance.

In his interview at OSS Con, Linus Torvalds said that an OSS project is nothing without its users. People and organizations use and build dependencies upon the free software, further cementing the criticality of OSS.

The path to sustainable, trustworthy open source

With open source software becoming critical to global infrastructure, OSS projects are being scrutinized like never before. Many open source projects are not yet equipped with the basic tools and documentation to change how governments and organizations view open source projects. Getting started is simple, but not easy. Brewer offers two actionable insights.

With open source software becoming critical to global infrastructure, OSS projects are scrutinized like never before

First, open source for “critical” infrastructure needs to meet higher expectations. This means ongoing maintenance, like fixing vulnerabilities in older and legacy releases. It also means communities need to pay contributors to do difficult and unexciting maintenance work. Vulnerability identification, testing, and remediation are complex tasks for highly skilled technologists. OSS maintainers need to recruit capable engineers for this difficult work and structure their projects and teams for that to happen successfully.

 Second, open source is a part of public infrastructure and a public good that needs curation. This means open source deserves government funding, which will require a curation buffer between governments and contributors. Curation requires separating the roles of distribution (“as is” software that is freely available) and accountability (curated software that is available for pay), making trustworthiness available to anyone who wants it. Realistically, he said, money is the best way to address the real costs of mundane, important work.

A third way may be in rethinking the problem of building safe open-source software and operating containers. When security personnel scan containers for flaws, they’re looking specifically for a vulnerability.  When infra ops scan containers, they’re looking for operational optimization.  What if open source software could be optimized with fewer vulnerabilities and a smaller footprint? It’s clear that pressure is mounting for community members to ensure their applications are secure and compact.

There’s no avoiding the need for open source security

The success of OSS comes with a consequence: the imperative for sustainable, trustworthy code. Gone are the days in which a project could shrug off responsibility with “as is” code. The entire OSS community must own the responsibility of building reliable and safe code for critical global infrastructure. This won’t happen overnight, nor by accident. Secure code is a must-have feature for any open source project.