Open source software maintainers—appropriately—push back
In 2022, against a backdrop of rising software supply chain attacks—most notably Log4Shell— industry and government leaders launched a series of initiatives to improve open source software security. In 2023, we will see even more open source maintainers beginning to push back against the new requirements coming out of these initiatives. Why? Because many of them see these requirements as an “unfunded mandate,” a request for them to do additional work without being compensated for it.
According to last year’s open source maintainer survey, the vast majority of maintainers are volunteers, with 45% of them earning nothing for their work and over 70% earning less than $1000 per year. Adding additional responsibilities when maintainers are already overworked is not going to go over well.
So in 2023, we will also see more maintainers requesting compensation, saying no to the work, or even in some cases abandoning their projects or staging protests. Smart organizations will recognize—and react to overcome—this work/compensation imbalance in order to ensure the continued resilience of the software they depend on. We’ll also start to see a clearer distinction between professional open source maintainers willing and able to do this—for pay, and those who are hobbyists by choice and choose to ignore it.
Open source software security becomes the law of the land
To date, government involvement in open source security has been mostly behind the scenes. The SolarWinds and Log4Shell vulnerabilities awakened a sleeping giant. Now, in large part due to initiatives emerging from the 2021 White House Executive Order on Cybersecurity, government agencies are paying close attention to open source security issues.
In 2023, recently proposed bi-partisan legislation regarding open source software security will become the law of the land. It does beg the question, however, of whether government funding for these initiatives will also move quickly and if not, who will be responsible to do the work to pay for these unfunded mandates? 2023 will bring more clarity to these questions.
Log4Shell was a warning shot
In the wake of the Log4Shell vulnerability, many reports have indicated that very little actual data was breached. While this is good news, it is important for organizations to see Log4Shell as a call to action to be prepared for future vulnerabilities that could invariably have a major impact on the business. The new year will also see recognition that attacks are not just on businesses but could very well have a societal impact with things like water supplies, electric grids, election security, and other critical infrastructure becoming targets.
The shine on SBOMs starts to fade as leaders recognize they are not a silver bullet
Software Bills of Materials (SBOMs) play an important role in securing the open source software supply chain but by themselves they are not enough or the complete answer to managing and securing the supply chain. In the new year, we will see the SBOM conversations move past the basic “ingredients list” discussion to SBOMs as a part of a larger strategy for improving the resilience of the software supply chain.
Open source and AI realize their shared potential in 2023, but it gets complicated in a hurry
The massive potential of open source-powered AI efforts will quickly beget itself in 2023, as new machine learning models find an ever-growing set of important use cases. Yet it could be a bumpy road, as questions such as who owns the code when written with a machine learning model based on open source, is that use compatible with open source licenses, and is it a derived product will all need to be addressed.
New stakeholders are concerned with open source software supply chain security
Conversations around the risks to open source supply chain security have moved beyond just security teams and now have become conversations within the overall business leadership and in the boardroom. Due to increased attention spurred on by the White House Executive Order and several other industry-wide initiatives, the coming year will see “new players” interested in supply chain security—in government, finance, critical infrastructure, and more.
– Donald Fischer, CEO and Co-Founder, Tidelift