How to make open source software more secure
Earlier this year, a Microsoft developer realized that someone had inserted a backdoor into the code of open source utility XZ Utils
Earlier this year, a Microsoft developer realized that someone had inserted a backdoor into the code of open source utility XZ Utils, which is used in virtually all Linux operating systems.
The operation had started two years earlier when that someone, a person nicknamed JiaT75, started contributing to the XZ Utils repository on GitHub. A cybersecurity expert called this attack a “nightmare scenario” and “the best executed supply chain attack we’ve seen.”
The attack, which followed other well-known cybersecurity incidents involving open source software like Heartbleed, Shellshock, and Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant security risks.
At TechCrunch Disrupt 2024, Bogomil Balkansky, partner at Sequoia Capital; Aeva Black, the section chief for open source security at the U.S. Cybersecurity and Infrastructure Security Agency; and Luis Villa, the co-founder of Tidelift, sat down to discuss the challenges of securing open source software.
“I like to say open source is not free like pizza. It’s free like a puppy. You take it home and don’t feed it, it’s going to eat your furniture, your shoes,” said Black.
Balkansky called open source software the “lifeblood of software,” which makes it “foundational and baked into everything.” The problem, Balkansky added, is that “the business model for open source is still very much work in progress.”
So, who should take care of it and pay to secure it?
Villa and his team at Tidelift propose a model where the company pays open source maintainers to take care of their code and partners to fix vulnerabilities.