Funding Worries Threaten Ability to Secure OSS Projects
LONDON — The tech downturn has highlighted the precarious way open source software foundations are funded and could exacerbate the challenge of plugging security holes and making projects more sustainable.
Rust Foundation CEO Rebecca Rumbul told the State of Open Con in London in February that for years, security had been “criminally neglected” and treated as a bolt-on.
In addition to far too many CompSci graduates coming out of university without understanding the basics of security, too much security work has been hidden within big corporate institutions. “That’s a problem,” Rumbul said. “Because if we don’t know what the gaps are, we don’t know how to fill them.”
While governments were taking a much closer interest in cybersecurity, there are concerns that regulators can miss the nuances of open source. A case in point is the European Union’s proposed Cyber Resiliency Act, which is seen as attempting to shift the liability for security from open source users to open source contributors.
Organizations like the Rust Foundation, then, are essential to work “for the common good,” Rumbul argued, both in actively working on securing code as well as working with both governments and corporations in a neutral way.
“We need a critical mass of skilled and experienced people to do this,” she said. “We can’t just rely on one or two people. People come and go. Investing in replenishing that resource is absolutely key.”
She added, “We can’t assume that every business decision about security made by a corporate body will also be for the common good. Individual maintainers should absolutely not be responsible or liable for this.”
But this needs to be supported financially and can’t be done on the sort of shoestring budgets most industry foundations typically operate on.
“The key to enabling good security work that can be directed like this in the open is to develop a sustainable funding model,” Rumbul said. Rust’s platinum members include the likes of Amazon Web Services, Google, Huawei, Meta, JFrog and Microsoft, while “donors” include Activision, CarGurus and repl.it.
The organization established a security team last year after receiving a grant from the OpenSSF’s Alpha Omega Initiative last year, while JFrog committed members of its own security team.
But organizations like the Rust Foundation are typically funded on an annual basis and can’t predict from year to year what their budgets will actually be. The tech downturn has depressed corporate spending and resulted in large-scale layoffs, which means even more uncertainty. It this led to a reduction in membership, Rumbul said, this could leave a huge hole in the organization’s budget.
“It’s been amazing to have finances given to us to support our security work, but that’s for a year. I can’t fix security in a year,” said Rumbul.
“If we all want a secure place to live, work and play online, we should all be contributing to it. And government should contribute,” she said. “We kind of forget governments use so much open source, I think the problem is half the time, they don’t know it.”
Instead, governments should be leading the way: “They should be setting a real example to everyone else, that if you are using open source in your day to day, then you should be paying for it.”
Rust’s profile has been boosted by the U.S. government, which has estimated that around 70% of vulnerabilities would be addressed if developers switched to Rust and other memory-safe languages.
Speaking to The New Stack, Rumbul said the foundation was lucky to have some very stable tech organizations in its platinum membership tier.
But, she continued, “I know some other languages I think who have suffered, and I think some open source offices and programs maybe have shed a few staff as well. So that’s not a great indication.”
Amanda Brock, CEO of OpenUK, which organized the conference, said the open source ecosystem needed a more sustainable model for the future and funding was “definitely more of a concern than it was.”
However, she added, “I suspect that the complete lockdown that we’re seeing on spend is something that will last a few months. I expect by Q3 that will have moved on.”
There had been a boom in post-lockdown spending, Brock said — for travel, for example — and a number of factors have damped down spending. “I think in many ways it’s sensible to be conservative. Protecting the staff that you’ve got is a huge responsibility.”