Why transparency is critical to your open source project's security
By Ana Jimenez
A community's health and transparency are good measures of a project's security.
The Biden Administration's recent executive order on cybersecurity aims to improve security assurance and the use of best practices. Transparency and project health are two factors that help to support security across the entire software industry—especially now.
Software security is now open source software security
Because 92% of modern applications contain open source components, improving software security generally means improving open source software security.
According to the Biden executive order:
"The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is."
Transparency is a cornerstone of security assurance because it helps establish trust and confidence in the technology. Indeed, without transparency, trust and security evaporate. Therefore, one of the ways we can help improve security is by enhancing the transparency of our projects.
Transparency through open source can provide information about a project that allows users to assess its health in at least two ways:
- Cross-community environments: Cross-team and community collaboration are keys to meeting constantly evolving security, privacy, and safety standards. Security is a complex process involving multiple teams across a single organization and multiple organizations (i.e., cross-community), given its open source nature.
- Public disclosure: Transparency also enables organizations to quickly build and issue public security reports to identify potential threats and vulnerabilities.
How to measure transparency to achieve security assurance
Open source should be in the DNA of every modern organization that wants to achieve a high level of transparency. However, transparency involves more than simply allowing access to code, products, designs, services, or APIs. Transparency is a commitment to total clarity.
Open source has evolved into a complex ecosystem of projects and organizations with different kinds of relationships. Open source program offices (OSPOs) enable companies, public institutions, governments, and other organizations to keep tabs on the size and health of their open source ecosystems. They take care of not only the projects the organization is using but also the ones it's releasing or contributing to.
One of the ways to measure transparency across open source ecosystems is by assessing the answers to the following questions about a community's health:
- How many maintainers are needed to keep the project sustainable? The Bus Factor is a way to determine how many contributors a project can lose before it stalls. The metric (which hypothesizes what would happen if certain contributors got run over by a bus) calculates the smallest number of people who make 50% of contributions and visualizes the answer.
- Who are the core developers? The Onion Model is an approach to identifying the most committed developers and the ones the project relies upon most.
- What organizations are involved in the software development process? In addition to analyzing the number of companies whose employees make commits, issues, or code contributions, the Elephant Factor determines the minimum number of companies doing half of the work.
- Does the software have security certifications? Possessing well-known security certifications, such as the Core Infrastructure Initiative Best Practices Badge, indicates that open source projects follow best practices and meet required certification criteria.
- How active is the community? There are various ways to assess whether a community is active. One way is to look at the community's reaction speed, including how fast issues are resolved vs. how many are ignored.
Most of these questions are part of the CHAOSS metrics definition. Community Health Analytics Open Source Software (CHAOSS) is a Linux Foundation project focused on creating a standard set of metrics and software to help define open source community health. Its GrimoireLab tool makes it easier for projects to analyze and report their community health metrics.
Open source software took over the world a long time ago. The Biden administration's new executive order is another reason to take the open source ecosystem seriously, as both public entities and private companies rely upon it. But open source innovation has a unique methodology that doesn't follow traditional business processes. Using open source involves investing in OSPOs and measuring transparency by looking at a project's health based on its activity to achieve the required security assurance.