DEV Community

Cover image for Maintainers are being asked to do more security work. Over 50% didn’t get the memo.
Chris Grams for Tidelift

Posted on • Edited on • Originally published at blog.tidelift.com

Maintainers are being asked to do more security work. Over 50% didn’t get the memo.

In late 2022, Tidelift fielded its second survey of open source maintainers. Hundreds of maintainers responded with thoughts about getting paid for their work, the security and maintenance practices they have in place for their projects, and where they need help most, along with a host of other interesting insights. In this post, we share the third of eleven key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.

Software security is a difficult challenge and attacks on the software supply chain are becoming more frequent. Leaders across government and industry are taking action. In the U.S., the government has begun a large-scale cybersecurity improvement initiative, beginning with the White House Executive Order 14028: Improving the Nation’s Cybersecurity, which led to the NIST Secure Software Development Framework, and more recently the government-wide National Cybersecurity Strategy.

At the same time, industry leaders have come together to identify best practices and standards that will improve open source software security; examples include Open Software Security Foundation Security Scorecards and Supply Chain Levels for Software Artifacts Framework (SLSA).

The common thread across all the initiatives: requiring open source maintainers to undertake additional work to make sure their projects align with these new government and industry standards. With all the work expected from maintainers, we wanted to get an insight into whether they are aware of and following this activity.

First, we asked respondents to tell us which of the most commonly cited standards initiatives they are aware of today, including the OpenSSF Security Scorecards project, the SLSA framework, and the NIST Secure Software Development Framework (SSDF).

Over half of maintainers are not aware of prominent software security standards

The majority of the respondents (52%) said they weren’t aware of any of these new government and industry standards. Roughly 1/4 of maintainers had heard of the OSSF Security Scorecards project or the NIST SSDF, but only 13% had heard of SLSA.

We then dug a little deeper, asking those maintainers who were aware of at least one of the standards if they had plans to ensure their project aligns with those standards.

43% of maintainers are aware of industry security standards have already begun or plan to begin work to align to one or more of them

A little over a quarter of these maintainers (28%) have already begun work to align to these industry standards or plan to begin work within the next year. Only 15% have already begun this work.

Thirty-nine percent have no plans to align to these industry standards, and 19% are still on the fence, reporting that they either do not know or are not sure whether they will do the work to ensure their packages align with these industry standards.

Maintainers are more likely to ensure projects align with OSSF security scorecards than other standards

We then looked in more detail at the intent of the folks who are familiar with each of these standards. Fifty-two percent of the maintainers who are aware of OpenSSF Security Scorecards have already started or plan on starting working to ensure their projects align to the standards. Thirty-seven percent of the maintainers who are aware of the NIST Secure Software Development Framework have already started or plan on starting working to ensure their projects align to the standard. And 34% of the maintainers who are aware of Supply Chain Levels for Software Artifacts Framework have already started or plan on starting working to ensure their projects align to the standards.

Identifying and documenting the best practices and guidelines to improve the overall health and security of the open source software supply chain is important work. However, as this data shows, a significant amount of investment also needs to be made in making maintainers aware of these standards, educating them on the work needed to be done, and ensuring they are incentivized to actually take on the additional responsibilities.

We hope you found some useful and actionable information in this blog post. If you’d like to get notified as future posts come out, please give us a follow. Or if you don’t want to wait, download the full survey results today and RSVP for the webinar on Thursday, May 18 at 3 p.m. ET, where we’ll be unveiling the top findings from the survey.

Top comments (0)