Open source developers not interested in solving code security issues?
Software developers invest less than 3% of their time in solving security issues in free and open source software (FOSS) and show little interest in allocating more resources moving forward, claims research carried out by the Linux Foundation and Laboratory for Innovation Science at Harvard (LISH). Nearly half of respondents are paid to contribute to this type of projects.
When asked about enterprise security, some chose to describe it either as “an insufferably boring procedural hindrance,” or as “a soul-withering chore and a subject best left for the lawyers and process freaks.” The use of open source software has substantially increased because it allows developers to be part of a close knit community that works together to improve software. Recent comments coming from certain members of this community raise concerns about security best practices, especially since most businesses are building their economic success on this type of contribution.
Moving forward, these findings point out the real state of security in 2020 and how it can be destabilized by free and open source software projects. The report emphasizes the importance of allocating more resources and tools to enhance the security of FOSS, because it is overall a shared responsibility.
“There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors,” explains the report. “Developers generally do not want to become security auditors; they want to receive the results of audits.”
Enterprises could play a critical role in helping identify and fix security issues, while developers themselves may rewrite the code susceptible to vulnerabilities such as buffer overflow, instead of patching it. Eliminating memory-unsafe programming languages could overall improve security, recommends the report.
Since the COVID-19 outbreak, malicious actors have been taking advantage of the situation, and likely desperation of most people and companies trying to adapt. In the past months, there has been an increase in malware attacks. Remote work, for instance, has led to a higher rate of ransomware attacks and double extortion cases.
While prescriptive security measures are harder to adapt to a remote global workforce, the threat landscape is not holding back. There have been numerous attacks on healthcare organizations and government websites to destabilize infrastructures. As recently seen in Brazil, a good number of data leaks were caused by source code leaks or passwords exposed in source code on GitHub.
The industry is moving at a fast pace, but cybersecurity teams are likely feeling overwhelmed, as there is not enough tech talent to address all issues. On this note, the Canadian Internet Registration Authority (CIRA) says companies do not plan on investing in cybersecurity personnel, even though “three in 10 organizations have seen a spike in the volume of attacks during the pandemic.”
The newly instated work-from-home ecosystem, which heavily relies on mobile devices and IoT technologies, is unwillingly contributing to the increase in digital risks. Not only were companies already struggling with security and resilience, but the pandemic has contributed to an increase of the attack surface. Endpoint security and digital risk protection will be critical in patch management and in enhancing infrastructure transparency.