While open source software is ubiquitous and generally regarded as being secure, software development practices vary widely across projects regarding application development practices, protocols to respond to defects, or lack of standardized selection criteria to determine which software components are more likely to be secure. Consequently, software supply chains are vulnerable to attack, with implications and challenges for open source project communities.
To help improve the state of software supply chain security, new research was conducted in partnership with the Open Source Security Foundation (OpenSSF), Snyk, the Eclipse Foundation, CNCF, and CI/CD Foundation as a means to help focus efforts in programming, incentives, and other resourcing to support the creation of more secure software.
In April of 2022, LF Research and its partners fielded a survey comprising 539 open source software maintainers and core contributors and qualitative interviews from a subset of those individuals. This report identifies the most acute software security development gaps and challenges, including at the organizational level, where policies requiring security protocols are in short supply, and dependencies are not effectively managed.
- Linux Foundation Research Team
- Foreword by Brian Behlendorf, General Manager, Open Source Security Foundation
More About LF Research
Open source communities are at the heart of an explosion of technical innovation, where industry leaders, engineers, and end users are collectively creating and improving the digital infrastructure on which the global economy depends.
With an extensive community of members, connections with thousands of companies, and hundreds of thousands of open source contributors, professionals, solution providers, and users, the Linux Foundation is in a unique position to investigate the growing scale of open source collaboration, and provide insights into emerging technology trends, best practices, and global impact of open source projects.
By leveraging project databases and networks, and through a commitment to best practices in quantitative and qualitative methodologies, Linux Foundation Research is designed to be the go-to repository for open source insights for the benefit of organizations and governments the world over.