Open source has made its way into almost every server farm, consumer device and service we use, and it’s done so without most people even realizing it. Almost no one knows what is in their phones, apps or business data centers. This is wreaking havoc on the global supply chain, so much so that the U.S. House of Representatives Energy and Commerce Committee sent a letter to the Linux Foundation inquiring about it. The Linux Foundation did its best to summarize a very complex situation in its response.
So with the help of Harvard researchers and companies like Snyk and Synopsys, we set out to produce our second Census of open source software but this time, with a focus on what open source software projects show up in production applications. At the heart of this is a desire to understand how we take a preventative care approach to security, rather than a reactionary one.
VULNERABILITIES IN THE CORE: A Preliminary Report & Census II of Open Source Software shares the earliest results of a multi-year, data-intensive research project that identifies the most used open source software packages in production applications across the world. This is the first phase of research in our partnership with Harvard, after which we will begin to look into who wrote these popular packages and what are the software security practices for dealing with vulnerabilities.
Open source is the underpinning of the world’s technical infrastructure and has undoubtedly resulted in massive innovation and disruption. It demands a better understanding, from its creation to distribution. Organizations need to start thinking about their software supply chain and open source can be a guide. Cybersecurity concerns often focus on a zero-sum game or good vs. evil, but what is increasingly more important is how we can increase transparency and trust in software by improving the systems by which it is created, distributed and consumed. We must start there. Learn how you can contribute to this massive, industry-wide transformation: