Hear Tidelift VP of Product, Lauren Hanford discuss the current state of the open source maintainer and how most maintain open source software projects without pay, and why this matters when looking at these new secure software development practices.
This video clip comes from our on-demand webinar, how the NIST SSDF impacts open source software. In this webinar, Lauren and Senior Product Marketing Lead, Kanish Sharma discuss the NIST SSDF and how organizations can follow its guidance when they are building applications with open source software. You can watch the entire webinar on-demand here.
Open source software does rely largely on volunteer maintainers. When we look at the Log4j example—when Log4Shell hit, this was a package that had been maintained for years by unpaid maintainers. And they were dealing with one of the largest security vulnerabilities, certainly in recent history, in their spare time.
This is a multifaceted problem. It's a visibility problem where software companies may not have the visibility that they need to know what all they're relying on, and to what degree it's going to be there in the long term—that someone's taking care of it, that someone's being responsive to vulnerabilities. It's a time and incentive problem, which we see in the screenshots here from from the maintainer, sharing their experiences. And I think that we are really in this moment of turning the page on the accountability problem. These maintainers on this particular vulnerability, they issued a series of fixed releases to address the problem. They knew how much this package mattered in the software supply chain.
But again, I think we're in this moment where the NIST SSDF, the Cybersecurity Strategy, and M-22-18 are making it clear that the accountability on bringing in open source components, and knowing where they sit within an organization, is going to sit on on the consumer, the folks that are bringing it in and producing software. So what we can't continue to have here, and really see in secure development and in a secure supply chain, is this continued moment of crisis after crisis. A major threat happens and unpaid maintainers are having to field inquiries on that threat, all while they're trying to also fix the problem as quickly as possible.