Software applications across virtually all industries and sectors are increasingly reliant on free and open source software (FOSS, also commonly called OSS). In fact, recent estimates state that open source makes up 80-90% of the average piece of software. That means FOSS is a critical component of modern technology, and, by extension, the global economy. It also means that any security problems could have widespread and devastating consequences.
To find out more about the who, how, and why of FOSS contributions, especially with regards to security, the Linux Foundation’s Open Source Security Foundation (OpenSSF) and Harvard’s Laboratory for Innovation Science (LISH) jointly produced the Report on the 2020 FOSS Contributor Survey.
The survey interviewed thousands of FOSS project participants, exploring key questions like:
- What motivates someone to contribute to FOSS?
- How much time does the average FOSS contributor spend on a project, and what activities (security practices, for example) take up that time?
- Do employers encourage their employees to participate in FOSS projects?
- What kind of security training/resources are FOSS contributors leveraging?
In this blog post, we’ll go through some of the most interesting security-related takeaways from the 2020 FOSS Contributor Survey. We’ll also share some action items that open source project owners can take to improve security practices and encourage contributors to adopt a security-informed mindset.
1. Security Concerns Don’t Translate to Time Spent
The 2020 FOSS Contributor Survey asked respondents to share what external resources would make the biggest impact on their current open source projects. Nearly two-thirds of participants mentioned bug/security fixes, while one-third included free security audits in their responses (survey-takers could select multiple answers). Around 25% stated they’d like to add security-related tools to their continuous integration pipelines. And about 18% requested a free course on secure software development.
Clearly, security is indeed a priority for FOSS contributors, However, when asked if they spent time on security-related activities, only 2.3% of respondents answered yes. Also, survey-takers indicated they had no desire to increase this amount of time in the future.
So, why the disconnect? Survey participants’ text responses were telling, with several indicating that security wasn’t their main role or something they were particularly passionate about. It seems that while FOSS contributors see security as important, they don’t want to be the ones in charge of it. They’d rather see it taken mostly out of their hands, whether through third-party audits or open source security management tools like FOSSA.
Given these findings, organizations that manage FOSS projects should fund additional external security resources when feasible. The more automated you make your security processes, the more protected your project will be.
2. Money Isn’t a Motivator
Since the vast majority of FOSS contributors don’t spend much time on security, how can the organizations and individuals behind open source projects motivate developers to embrace secure coding practices?
In the above section, we suggested paying for audits and/or third-party security tools. However, this may not be an option in every case, particularly for projects that aren't maintained by companies with deep pockets. And there may be other situations in which a FOSS project owner might prefer contributors to personally take some part in securing their code.
According to the 2020 FOSS Contributor Survey results, the top three motivators behind contributing to open source projects were the desire to add a feature/fix, an enjoyment of learning, and a need to take part in creative work. Money, on the other hand, was one of the least important factors. Overall, open source contributors seem to be motivated by intrinsic rewards rather than financial ones. Therefore, simply paying contributors to spend more time on security is unlikely to be effective.
Fortunately, FOSS project owners have a number of other options to consider, including offering mentorship opportunities to contributors with security expertise, paying for security-minded contributors to take online courses, and making educational resources related to security easily available to new project participants.
3. Blogs and Forums Are Important Resources
Most 2020 FOSS Contributor Survey respondents learned about secure code development through informal means as opposed to formal courses, corporate training sessions, or certifications.
The most popular resources are online forums (StackOverflow, Reddit, etc.), with nearly 51% of participants citing these as useful places to learn about security best practices. Blogs and online articles were a close second, with about 47% of survey-takers selecting them as a response. (Participants could choose more than one answer). Thirty percent of respondents selected “Other,” with the most popular text responses being job experience and knowledge sharing between coworkers and co-contributors.
For organizations and individuals that create and/or rely on open source projects, this means leveraging the resources your contributors already use to educate them on security processes and how to best implement them. For example, you might create a shared hub of handy StackOverflow threads on a specific security issue or maintain a list of helpful blog posts on critical secure development topics. Resources on key security issues, such as FOSSA’s reports on reducing risk in open source usage, may also prove very useful.
The educational opportunities here are huge. According to the FOSS survey results, contributors’ implementation of common security practices varies widely. For example, almost 80% of respondents stated that their website had SSL/TLS support, and 41% had a maintainer or core participant who focused on security. However, only 26% had a security policy in place and just 22% used threat models in their projects.
If you have access to learning materials on these security protocols, make them as easy as possible for your contributors to find and use. Small improvements here can have a large impact on your FOSS project.
4. Corporate Clarity Is Key
Approximately three-quarters of 2020 FOSS Contributor Survey respondents said that their employer allowed them to take part in open source projects, with nearly half stating they could do so without prior permission. However, a significant percentage of companies (17.5%) don’t have an open source contribution policy or have a policy that’s unclear. If potential FOSS contributors don’t know that they can contribute, they won’t.
Having employees participate in FOSS projects comes with a number of employer benefits, including increased productivity and valuable developer skills. This is true even if the open source project they’re contributing to isn’t used by or at all related to their employer. For example, doing so can help developers get in the habit of considering security in their day-to-day work. The company’s employees might also learn some new secure development techniques through interacting with coders outside of their organization.
If a company doesn’t have a clear open source contribution policy, the legal team and engineering leadership should work together to craft one and make it readily available to all employees. This policy should include security-related clauses and/or recommendations as well. For example, your organization might encourage employees to select external FOSS projects with well-established secure coding protocols or incentivize employees to follow security best practices in their own contributions.
More on the 2020 FOSS Contributor Survey
You can download the full 2020 FOSS Contributor Survey report for free on the Linux Foundation's website. The complete document includes information on methodology, promotional channels, and response rates, as well as an explanation of potential biases and demographic limitations with regard to gender and geography. In addition, the report contains a number of useful graphs and visualizations.
Additional OpenSSF and LISH resources that pertain to open source include the Census II Report: Vulnerabilities in the Core and the 2020 Open Source Jobs Report. Both are available via the Linux Foundation.