A survey of nearly 1,200 FOSS contributors found security to be low on developers’ list of priorities.
A new survey of the free and open source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than three percent of their time on security issues and have little desire to increase this.
A report based on the answers of nearly 1,200 FOSS contributors carried out by the Linux Foundation and Laboratory for Innovation Science at Harvard (LISH) highlighted a “clear need” for developers to dedicate more time to the security of FOSS projects as businesses and economies become increasingly reliant on open-source software.
The survey, which included questions designed to help researchers understand how contributors allocated their time to FOSS, revealed that respondents spent an average of just 2.27% of their total contribution time to responding to security issues.
Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they “find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks,” while another said: “I find security an insufferably boring procedural hindrance.”
The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors.
Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.
“There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors,” read the report.
“Developers generally do not want to become security auditors; they want to receive the results of audits.”
Other proposed solutions by the researchers included encouraging organizations to redirect efforts into identifying and addressing security issues in projects themselves. Alternatively, developers “could rewrite portions or entire components of FOSS projects that are prone to vulnerabilities,” as opposed to trying to mend existing code.
The researchers continued: “One way to improve a rewrite’s security is to switch from memory-unsafe languages (such as C or
C++
) into memory-safe languages (such as nearly all other languages),” researchers said.
“This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees.”
Gender diversity – or rather, lack thereof – was another key finding of the report.
Of the 1,196 survey respondents, 91% reported being male and between 25 and 44 years old. The researchers noted that the findings “emphasizes the continuing concerns about a lack of female representation in FOSS communities,” and pointed out that that the lack of female representation in the report suggested that the results were “biased towards male contributors’ FOSS activities and are not fully representative of female contributions to FOSS.”
Most of the respondents to the survey were from North America or Europe, with the majority in full-time employment. Nearly half (48.7%) said they were paid by their employer for time spent on open source contributions, while 44.02% said they were not paid for any other reason.
Interestingly, the results indicated that the COVID-19 pandemic had had
little impact on contributors working status,
with very few respondents reporting being out of the workforce. Again, the researchers noted that due to the lack of female representation in the survey, “these findings may not reflect the experiences of women who contribute to FOSS, particularly those impacted by increased family responsibilities during the pandemic.”
While the overwhelming majority of respondents (74.8% were employed full-time and more than half (51.6% percent) were specifically paid to develop FOSS, money scored very low in developers’ motivations for contributing to open-source projects, as did a desire for recognition amongst peers.
Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used.
“The modern economy – both digital and physical – is increasingly reliant on free and open source software,” said Frank Nagle, assistant professor at Harvard Business School.
“Understanding FOSS contributor motivations and behavior is a key piece of ensuring the future security and sustainability of this critical infrastructure.”