For Open-Source Software, the Developers Are All of Us

Images of figures holding globe

"We are stronger together than on our own." This is a core principle that many people adhere to in their daily lives. Whether we are overcoming adversity, fighting the powers that be, protecting our livelihoods or advancing our business strategies, this mantra propels people and ideas to success.

In the world of cybersecurity, the message of the decade is "you're not safe." Your business secrets, your personal information, your money and your livelihood are at stake. And the worst part of it is, you're on your own. Every business is beholden to hundreds of companies handling its information and security. You enter information into your Google Chrome browser, on a website running Microsoft Internet Information Server, and the website is verified through Comodo certificate verification. Your data is transmitted through Cisco firewalls and routed by Juniper routers. It passes through an Intel-branded network card on your Dell server and through a SuperMicro motherboard. Then the data is transmitted through the motherboard's serial bus to the SandForce chip that controls your Solid State Disk and is then written to Micron flash memory, in an Oracle MySQL database.

You are reliant on every single one of those steps being secure, in a world where the trillion-dollar problem is getting computers to do exactly what they are supposed to do. All of these systems have flaws. Every step has problems and challenges. And if something goes wrong, there is no liability. The lost data damages your company, your livelihood, you.

This problem goes back decades and has multiple root causes that culminate in the mess we have today. Hardware and software makers lack liability for flaws, which leads to sub-par rigor in verifying that systems are hardened against known vulnerabilities. A rise in advertising revenue from "big data" encourages firms to hoard information, looking for the right time to cash out their users' information. Privacy violations go largely unpunished in courts, and firms regularly get away with enormous data breaches without paying any real price other than pride.

But it doesn't have to be this way. Open software development has been a resounding success for businesses, in the form of Linux, BSD and the hundreds of interconnected projects for their platforms. These open platforms now account for the lion's share of the market for servers, and businesses are increasingly looking to open software for their client structure as well as for being a low-cost and high-security alternative to Windows and OS X.

The main pitfall of this type of development is the lack of a profit motive for the developers. If your software is developed in the open, everyone around the world can find and fix your bugs, but they can also adopt and use your coding techniques and features. It removes the "walled garden" that so many software companies currently enjoy. So we as a society trade this off. We use closed software and trust that all of these companies are not making mistakes. This naiveté costs the US around $16 billion per year from identity theft alone.

So how do we fix this problem? We organize and support open software development. We make sure that important free and open security projects have the resources they need to flourish and succeed. We get our development staff involved in open-source projects so that they can contribute their expertise and feedback to these pillars of secure computing.

But open software is complex. How do you know which projects to support? How can you make this software easier to use? How can you verify that it is actually as secure as possible?

This is where we come in. We have founded the Open Source Technology Improvement Fund, a 501(c)3 nonprofit whose only job is to fund security research and development for open-source software. We vet projects for viability, find out what they need to improve and get them the resources to get there. We then verify that their software is safe and secure with independent teams of software auditors, and work with the teams continuously to secure their projects against the latest threats.

The last crucial piece of this project is you—the person reading this. This entire operation is supported by hundreds of individuals and more than 60 businesses who donate, sit on our advisory council and participate in the open software movement. The more people and businesses that join our coalition, the faster we can progress and fix these problems. Get involved. We can do better.

For more information, visit OSTIF: https://ostif.org.

—Derek Zimmer