Free and Open Source Software (FOSS) has become a critical part of the modern economy. It has been estimated that FOSS constitutes 80-90% of any given piece of modern software, and software is an increasingly vital resource in nearly all industries. This heavy reliance on FOSS is common in both the public and private sectors, in both tech and non-tech organizations. Therefore, ensuring the health and security of FOSS is critical to the future of nearly all industries in the modern economy.
To better understand the state of security and sustainability in the FOSS ecosystem, and how organizations and companies can support it, the Linux Foundation‘s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) collaborated to conduct a widespread survey of FOSS contributors as part of larger efforts to take a pre-emptive approach to strengthen cybersecurity by improving open-source software security.
These efforts — recently incorporated into the Open Source Security Foundation (OpenSSF) working group on securing critical projects — aim to support, protect, and fortify open software, especially software critical to the global information infrastructure.
This survey’s primary goal is to identify how best to improve FOSS’s security and sustainability — especially those projects that are widely relied upon by the modern economy. Specifically, the survey seeks to help answer the question,
“How can we better incentivize adequate maintenance and security of the most used FOSS projects?”
Importantly, in conducting this survey, the research team sought to take a holistic view of security. The methodology for recruiting survey participants emphasized contributors to FOSS projects that have been identified as widely used via previous research that culminated in the release of “CII Census II Preliminary Report – Vulnerabilities in the Core.”
This new report summarizes the results of a survey of free/open source software (FOSS) developers in 2020. The goal was to identify key issues in improving FOSS’s security and sustainability since the world now depends on it as a critical infrastructure that underlies the modern economy.
To capture a cross-section of the FOSS community, the research team distributed the survey to contributors to the most widely used open source projects and invited the wider FOSS contributor community through an open invitation. It captured more technical aspects of security and also considered the more human side.
The survey included questions about contributor motivations and level of involvement, corporate involvement in FOSS, the role of economic considerations in contribution behavior, and sought to answer the following:
- Demographics: What are the demographics of FOSS contributors? In particular, what are their gender, employment, and geographic location?
- Motivations: What are their reasons for starting, continuing, or stopping contributions to FOSS? How can projects keep contributors engaged, and do contributors feel that their employers or others value their work?
- Pay: How many FOSS contributors are paid for their work on FOSS? If paid, by whom (e.g., by employers and/or corporate sponsorship)? If they are not, does the lack of payment lead to significantly poorer security or sustainability?
- Time Spent: How much time do contributors spend contributing to FOSS, and how would they like to spend it? Is there an interest in increasing time spent on security issues?
- Aid: What kinds of actions from external actors would help improve security (e.g., code contributions and/or money)?
- Current activity: What kinds of security-related activities are already taking place in the FOSS projects represented by the respondents?
- Education/training: How much education/training have FOSS contributors had in secure software development and operations? From which sources did they receive it?
The goals in running this survey were to understand the state of security and sustainability in FOSS and identify opportunities to improve them, and ensure FOSS’s viability in the future. In particular, this survey focused on the “human side” of FOSS, more than the technical side, although the two are certainly inter-related, and these findings relate to both.
The results identified reasons for optimism about the future of FOSS (individuals are continuing to contribute to FOSS, companies are becoming friendlier to FOSS to the point of paying some employees to contribute, etc.), but also areas of concern (in particular, the lack of security-related efforts, and potential difficulties in motivating such efforts).
In the end, free and open source software is, and always has been, a community-driven effort that has led to the development of some of the most critical building blocks of the modern economy. This survey highlights the importance of the security of this important dynamic asset. Likewise, it will take a community-driven effort, including individuals, companies, and institutions, to ensure FOSS is secure and sustainable for future generations.
- Frank Nagle, Harvard Business School
- David A. Wheeler, The Linux Foundation
- Hila Lifshitz-Assaf, New York University
- Haylee Ham, Laboratory for Innovation Science at Harvard
- Jennifer L. Hoffman, Laboratory for Innovation Science at Harvard