Blind trust in open source security is hurting us: Report

The Linux Foundation

At the 2022 Open Source Summit in Austin, Tx, The Linux Foundation, the leading open source, non-profit group with its partners, and Snyk, a leading developer security company, released their first joint research report, The State of Open Source Security, uncovered worrying news. 41% of organizations are not confident in their open source software security. Worse still, not even half, 49%, even have an open source security policy.

This is lousy news.

zdnet recommends

True, open source software is inherently more secure than its proprietary rival. After all, you can look at open source code to see if there are any problems, while proprietary programs are a riddle wrapped in a mystery inside an enigma.

But, as recent open source security holes such as Log4J and colors.js, and faker.js have shown, just because the problems can be sought for doesn’t mean they’ll be found — especially if no one’s looking for them. 

Eric S. Raymond, an open source founder, famously said, “Given enough eyeballs, all bugs are shallow.” But, “Linus’s Law” only works if someone is actually looking. If no one is, then you’re still open to attack. Or, as with Log4j’s vulnerability, we know about the problem, the

Read More: