Tidelift, is a provider of solutions for improving open source software supply chain resilience, which we know from both government and industry attention will continue to be a pressing issue in 2024. Here’s commentary from Tidelift’s CEO/co-founder Donald Fischer for your reading pleasure.
Another Log4Shell-sized vulnerability leads organizations and government to finally eliminate their open source blind spot. For many years, there has been a blind spot within organizations when it comes to open source software security. These organizations bring in open source packages without knowing whether the maintainers of these packages follow the same secure development practices the organization would require of their own code. In 2024, the emergence of a new Log4Shell-scale vulnerability finally convinces organizations that “nothing comes for free.” They begin paying more attention to their open source suppliers and start making the changes necessary to ensure that the maintainers developing the code they rely on are properly incentivized to do important security and maintenance work. Interestingly, the U.S. federal government emerges as a leader of this effort and begins to invest in paying for the security and maintenance work of open source maintainers.
New government security mandates around the world create a confusing GDPR-like moment for open source security. As new government security requirements emerge (like those required under M-22-18 and White House Executive Order 14028 in the US and the Cyber Resilience Act in the EU), confusion reigns for organizations and open source maintainers. The lack of clear direction and conflicting incentives and penalties actually slows down progress toward improving security outcomes intended to be served by the regulations.
Open source contributors fed up with corporate interests exploiting open source start fighting back. After a period in which the principles underlying the open source movement took a back seat, open source contributors will rediscover open source’s roots in the free software movement and start fighting back against commercially controlled projects bending and breaking open source principles in search of profits. Interestingly, by revisiting the original core tenets of open source, organizations will begin to once again reap the benefits of the model as it returns stronger than ever, with new antibodies to protect it.
In 2024, we see the rise of dedicated open source product security teams within organizations. As open source continues to expand its footprint within commercial products, product security groups will begin building out dedicated teams focused exclusively on the security of the open source components that make up much of the source code in their products.
Intellectual property issues return as a primary concern in open source. In part driven by the increasing attention on the provenance of data used to train AI machine learning models, organizations return to paying closer attention to IP issues with open source and the “legal technology” patterns innovated by open source licenses.
Already overwhelmed open source maintainers “cry uncle” as well intended, AI-generated pull requests create a snowball of even more noise for them to deal with. Predictably, the end result is even more frustrated maintainers, many of whom will quit their maintenance work altogether, leading to more security risk for organizations.
Here Are Some 2024 Predictions from Tidelift
Posted in Commentary with tags Tidelift on December 22, 2023 by itnerdTidelift, is a provider of solutions for improving open source software supply chain resilience, which we know from both government and industry attention will continue to be a pressing issue in 2024. Here’s commentary from Tidelift’s CEO/co-founder Donald Fischer for your reading pleasure.
Another Log4Shell-sized vulnerability leads organizations and government to finally eliminate their open source blind spot. For many years, there has been a blind spot within organizations when it comes to open source software security. These organizations bring in open source packages without knowing whether the maintainers of these packages follow the same secure development practices the organization would require of their own code. In 2024, the emergence of a new Log4Shell-scale vulnerability finally convinces organizations that “nothing comes for free.” They begin paying more attention to their open source suppliers and start making the changes necessary to ensure that the maintainers developing the code they rely on are properly incentivized to do important security and maintenance work. Interestingly, the U.S. federal government emerges as a leader of this effort and begins to invest in paying for the security and maintenance work of open source maintainers.
New government security mandates around the world create a confusing GDPR-like moment for open source security. As new government security requirements emerge (like those required under M-22-18 and White House Executive Order 14028 in the US and the Cyber Resilience Act in the EU), confusion reigns for organizations and open source maintainers. The lack of clear direction and conflicting incentives and penalties actually slows down progress toward improving security outcomes intended to be served by the regulations.
Open source contributors fed up with corporate interests exploiting open source start fighting back. After a period in which the principles underlying the open source movement took a back seat, open source contributors will rediscover open source’s roots in the free software movement and start fighting back against commercially controlled projects bending and breaking open source principles in search of profits. Interestingly, by revisiting the original core tenets of open source, organizations will begin to once again reap the benefits of the model as it returns stronger than ever, with new antibodies to protect it.
In 2024, we see the rise of dedicated open source product security teams within organizations. As open source continues to expand its footprint within commercial products, product security groups will begin building out dedicated teams focused exclusively on the security of the open source components that make up much of the source code in their products.
Intellectual property issues return as a primary concern in open source. In part driven by the increasing attention on the provenance of data used to train AI machine learning models, organizations return to paying closer attention to IP issues with open source and the “legal technology” patterns innovated by open source licenses.
Already overwhelmed open source maintainers “cry uncle” as well intended, AI-generated pull requests create a snowball of even more noise for them to deal with. Predictably, the end result is even more frustrated maintainers, many of whom will quit their maintenance work altogether, leading to more security risk for organizations.
Leave a comment »