Tidelift’s Post

TL;DR Upstream is June 5! The agenda is now out, and you should sign up, it's free! Long version: It's 2024, and, last I checked, the amazing open source ecosystem we rely on is struggling. 😥 Corporations feast on freely available open source code 🍖 , while expecting volunteer open source maintainers to foot the bill of keeping it secure and well maintained. 💸 ☝ 👉 👇 👈 We've created a vulnerability identification industrial complex 🏭 that is overwhelming development teams with extra work and false positives 📈 and seems more focused on security theater than reducing actual risk. 📉 Meanwhile over 60% of open source maintainers have either quit or considered quitting their work because they are burnt out 🤬, underpaid 🎱 , and overwhelmed 🤕, putting the health and future of the code we depend on at risk. 🆘 Against this bleak backdrop, I come bearing hope! 😻 If you ❤️ open source, if you rely on it in your work, if you make it yourself, or you just care about its future 👉come join us on June 5th for Upstream👈, a free one-day virtual event celebrating open source, the people who use it, and the people who make it. 🎉 This year we'll be exploring a series of exciting new ideas for how to make the open source ecosystem we all depend on work better for everyone. A taste: Vincent Danen, VP of Product Security at Red Hat, will make the case that our current vulnerability patch management strategy is focused on the wrong goal: getting to zero vulnerabilities instead of reducing actual risk (and he'll share how we can fix it!). Jack Cable and Aeva Black from the US Cybersecurity and Infrastructure Security Agency will explain why we need to rethink how security is designed into our technology products and, using lessons learned from how we made automobiles safer, will show us how we can improve security outcomes proactively instead of bolting on security as an aftermarket feature. Frank Nagle from Harvard Business School will share highlights from his recent research that found that our shared open source infrastructure is worth 8.8 trillion dollars 😳 , and discuss with Tidelift co-founder Luis Villa some ways we might preserve or expand that value. There's much, much more, but you should to go check out the full agenda for yourself and sign up to attend. 🔎 https://lnkd.in/g7qwH8wm (s/o to Forrest Brazeal for the image to best my 1000 words)

Right now, reps from big cos and large foundations are getting ready to determine the implementation for the most impactful regulation on software to date: the Cyber Resilience Act (CRA). This is almost certainly going to have a large economic impact on the industry, especially open source. A lot of effort was made "seemingly" in an effort to protect open source from original drafts of the CRA last year, and yet on reading, it's not clear to me that efforts have produced outcomes that will support small open source companies or independent maintainers. Instead, it seems a lot of effort is being made (in some ways obviously) to protect open source foundations. The confusion around open source foundations and who they serve is an easy and common one to make- but if you follow the money, a 501c6 org is made to support it's members and *rarely* is it true that the members are comprised of independent maintainers. It's also worth nothing that thanks to deep inequities across the industry, small and medium-sized businesses rarely enjoy any meaningful amount of representation in your classic open source foundation. While the ink is now dried on the formal wording of the CRA legislation, it's implementation is only about to get started. The Eclipse Foundation is hosting the Open Regulatory Compliance Working Group - a working group that will be charged with formalizing the implementation of this regulation. While the membership of this group is reasonably diverse, I think it's worth noting that there is little to no representation of independent maintainers. Starting with a kick off today (registration in comments), Tracy Hinds and I are kicking off a several months long feedback session w/a Github repo and live events, where we read through the CRA and discuss the implications with a variety of awesome maintainer guests such as Jordan Harband, Matteo Collina, Charlie Marsh, William Morgan, Seth Michael Larson and more. It feels almost incoherent to say we need to "shift open source policy left" but I think for too long, open source foundations have been treated as a proxy for a constituency they simply do not represent. If you're excited about this, get in touch, sign up for the event, and participate on the repo! (again, links in comments)

'To that end I want to be very clear: CISA does not seek to control or regulate the open source community. Instead, our goal is to show up, as a community member, and steer our resources in ways that can help support secure by design open source software development practices and encourage its responsible usage. [Does CISA have the money to do either robustly?] 'As we know, package repositories are uniquely positioned to improve the overall security posture of open source software in a way that benefits all users. At the same time, we recognize that these package repositories are so often resource constrained. 'We recognize that working with this community will be a little different than how we typically work with companies, especially given the unique international complexities at play due to open source’s global nature. 'I think we are all in agreement that the security of OSS is at its best when everyone—volunteer contributors, foundations, companies and governments—are working together. 'How software manufacturers approach open source software is fundamental to SBD [Secure by Design]. We need companies to be both responsible consumers of and sustainable contributors to the open software they use. [YES.] 'For open source software to be foundationally more secure, software manufacturers must invest some of the value they get from open source software back into the ecosystem. At the same time, software manufacturers must put away notions of profit-motivated insecurity leaving some open source software inherently less secure by default than proprietary versions. [I feel for the Director - her role is often jawboning to private firms ignorant of OSS security being fundamental to their remaining going concerns.] 'A thriving open source ecosystem is a strong defense against a divided world—digital or otherwise. [Curious phrasing.] 'The hope, however, is that by strongly committing to collaborative open source principles and prioritizing security considerations early and often, it will be substantially more difficult for such bad actors to succeed. 'It is important that the open source community continues to thrive, and it is also imperative that we do this work in close coordination'. https://lnkd.in/g8tFnvuE

In his latest post on the Tidelift blog, CMO Chris Grams makes the case as to why you should attend Upstream 🫵✨ As you may have heard, the theme for this year’s Upstream is “unusual ideas to solve the usual problems” as it relates to #opensource health and security. What are the usual problems? Chris has the answers and highlights each with illustrations from the exceptionally talented Forrest Brazeal: - Corporations continue to indiscriminately consume open source without supporting the open source maintainers who work hard (and often unpaid) to keep projects secured and well maintained. - The software supply chain has turned into a vulnerability identification and remediation industrial complex. These endless streams of alerts are bogging down application development teams and diverting attention from reducing risk, reactively or proactively. - Lastly, as we’ve found in our last open source maintainer survey, over 60% of maintainers have either quit or considered quitting, listing burnout, being underpaid, and feeling overwhelmed as reasons why. At Upstream, these usual problems will be met with unusual ideas. For example, we’ll be hearing from: Vincent Danen, VP of Product Security at Red Hat who proposes that our current system for vulnerability patch management is broken and we need a revolution! 🫡 Jack Cable and Aeva Black from the Cybersecurity and Infrastructure Security Agency (CISA) offer up their unusual idea: bake security into our technology products by design rather than bolting security on as an aftermarket feature. 🍰 Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Boehm from the Linux Foundation Europe share unusual “carrot” (providing incentives to people and organizations to do more security work) and “stick” (penalizing them for not doing the work or after security incidents happen) approaches to improving #opensourcesecurity already being tested in Europe. 🥕 Gabriele Columbro and Tosha Ellison from FINOS will join John Mark Walker from Fannie Mae to present new methods to improve open source security being driven out of the financial services industry, which has long been a leader in embracing new ways to help open source software become more secure and resilient. 💰🔐 Frank Nagle from Harvard Business School will share highlights from his recent research that found that our shared open source infrastructure is worth 8.8 trillion dollars, and discuss with Tidelift co-founder Luis Villa some interesting ways we might preserve or expand that value, including what we can learn from other important “public good” infrastructure like roads, bridges, and the electrical grid. 🔌 If you use and/or create open source and want to learn more about some new ideas for addressing these age-old problems, please stop by for Upstream, our virtual, one-day event, on Wednesday, June 5! See you there 👋 https://lnkd.in/g2fF9MDF

I always enjoy the topics presented at Upstream - it's unique and also timely if you care about open source risk and increasing your signal to noise ratio.

How to Explain the Security Advantages of Open Source https://lnkd.in/gfTxqiYr In a recent conversation with my family, we all shared that our personal information had been stolen through one cybersecurity breach or another… at this point, whose data hasn’t? But the discussion led me to explain the security advantages of open source code versus proprietary counterparts in their data-layer infrastructure. It wasn’t long before someone asked the reasonable question: “But… if the code is open to everyone, how is that safer than keeping it secret?” There’s a special joy in explaining something seemingly counterintuitive but nevertheless true. I’ll tell you what I was excited to tell them. Small Security Teams Versus Communities of Thousands Open source code is often more secure precisely because it’s open for all to see. You might reason that code completely exposed to potential hackers gives them every opportunity to discover successful angles of attack. That’s true, but thousands of open source community members also have those same opportunities. Open source code is battle-tested by myriad developers and organizations who are actively working to expose and address security flaws (while also improving the software’s reliability and functionality). Best of all, these individuals and teams across the world collaborate and openly share their insights and expertise to resolve identified bugs and vulnerabilities, doing so with the speed and seamlessness you’d expect from so much combined and coordinated effort. Not to knock proprietary development teams — which do the best they can with finite resources — but even the largest internal team cannot match the security-hardening capabilities of a vast open source community. (Take the especially strong communities of Apache Cassandra and Apache Kafka as a couple of examples.) At the same time, open source invites organizations to understand exactly how their data infrastructure tools function at the code level, making integrations simpler and outcomes more predictable. Open Source Will Stay Open, Even if a Fork Is Necessary The free and transparent access to code that defines pure open source software’s security advantages also comes with the peace of mind that communities will fight to keep it that way. Adopting proprietary software puts organizations at risk of potential vendor and technology lock-in, limiting their agility to change course if a solution falls short of their needs (security or otherwise). There are also cases where vendors offering open source software will change to a new license that allows for “open core” practices, which can restrict code transparency and are often simply proprietary software by another name. The good news for organizations that feel like a vendor is pulling the rug out from under them in this way: Communities won’t stand for it. The industry has seen numerous examples — including recently with the Valkey Redis fork — of vendors switching to...

We often champion open source software. Because of its freedom, including from vendor lock-ins, and its collaborative nature. We call for adoption of open source in digital public infrastructure. This paper blasts the reliability assumption of open source, and argues for critical infrastructure poses risks. Open source face resource constraints, leading to potential security gaps, and like other public goods, suffer joyrider curse. Hence, the tragedy of the digital commons (similar to tragedy of commons on resources). The solution? Targeted regulations could support open source projects with necessary resources and ensure their security. This approach allows open source to remain a vital asset to the infrastructure while addressing its vulnerabilities. #Criticalinfrastructure

CISA Announces Initiative to Fortify Security of Open Source Package Registries CISA's new initiative collaborates with the open source ecosystem to enhance the security of package registries, promoting a set of best practices in the interest of securing critical infrastructure. by Sarah Gooding The #CybersecurityandInfrastructureSecurityAgency (#CISA), the U.S.’ lead #cyberdefenseagency, is collaborating with the #opensource #ecosystem on new initiatives to secure the critical #infrastructure that powers modern digital life. CISA’s March 5-6 #OpenSourceSoftware #Security Summit included representatives from open source foundations, package repositories, civil society, industry and federal agencies. CISA Director Jen Easterly delivered the opening remarks, acknowledging the value of OSS to the economy and its potential for exploitation: A recent Harvard study estimated that open source software has generated over eight trillion dollars in value to our society. That level of impact is astonishing, and the continued growth and successes of this movement are a testament to the underlying logics of open source that inherently promote and reward innovation and collaboration. This would not be possible without your tireless efforts to ensure that open source software is scaled in secure and sustainable ways. We at CISA are particularly focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software. And while the Log4Shell vulnerability might have been a big wakeup call for many in government, it demonstrated what this community has known and warned about for years: due to its widespread deployment, the exploitation of OSS vulnerabilities becomes more impactful.

Be sure to check out Michael C.'s excellent analysis! While politics casts a long shadow over the business of Congress (Members have ONE JOB: to vote), cyber policy and operators must NOW understand the mechanics of the legislative branch. ➡ “Chevron is overruled. Courts must exercise their INDEPENDENT judgment in deciding whether an agency has acted WITHIN its statutory authority, as the APA requires.” - Chief Justice Roberts 🏁 Detailed, objective, and well-informed legislation is the new watermark, as courts and congressional staff are unlikely to have the technical expertise. This means - ➡ SCOUT's decision will complicate the Biden administration's plans to improve critical infrastructure cyber hygiene by leveraging the Executive Branch's various rule-making authorities. A few watch items include: 1️⃣ SEC rules regarding cybersecurity disclosures 2️⃣ TSA cybersecurity regulations  3️⃣ GLBA incident reporting rules 4️⃣ Hospital security rules 5️⃣ CISA's pending CIRCIA 6️⃣ US Coast Guard's cybersecurity rules 7️⃣ EPA water system cybersecurity requirements 🗣 "The effects of Chevron’s demise will likely be MOST dramatic in the lower federal courts, some of which have continued to apply Chevron in recent years, even as the Supreme Court has rarely invoked the doctrine over the past decade.” - Gibson Dunn

The Digital Forensic Research Lab (DFRLab) at the Atlantic Council released a report last week that shows a correlation between funding for maintainers and better security practices in open-source projects. (link to original report in comments) The report found that open-source projects with funding have better security practices in place. This may not come as a surprise to some and the authors: Sara Ann Brackett, John Speed Meyers, and Stewart Scott state "This study presents prima facie evidence of a positive effect of general open source software funding on open source software security.” The report's statistical and quantitative evidence suggests that more funding positively correlates with better compliance with several, though not all, security practices. It also found that a greater number of unique sources of open-source funding for a given project correspond to a project with better security practices. Lauren Hanford, VP of Product at Tidelift, discusses the findings and muses on the next phase of questions to ask. #opensource #security #funding