Better collaboration between public and private sectors to advance open-source security is a major unresolved technology concern, especially as open-source software gains global dominance alongside artificial intelligence technology.
Organizations like The Linux Foundation and Open Source Initiative have made significant efforts to advance the open-source cause. However, more cross-industry partnerships and governmental oversight are needed.
The lack of traction in the U.S. needs to be more aggressively addressed, and more needs to be done to advocate for open-source security assurance, urged Ann Schlemmer, CEO of open-source database management company Percona.
Two years ago, the joint government-private sector response to the Log4j vulnerability that spawned 800,000 attacks worldwide led to the Enduring Security Framework for federal agencies adopting open-source software (OSS). During that time of crisis, the potential and benefits of public-private partnerships were on full display.
Since then, little progress has been made, Schlemmer noted. The U.S. government has not issued policies or enacted legislation to mandate the behaviors of commercial enterprises in their use of open-source software.
“With the rising prevalence of open-source models powering artificial intelligence, the ramifications of a significant vulnerability being exploited today can have dire consequences,” Schlemmer told LinuxInsider.
Will Public-Private Partnerships Offer Solutions?
An ongoing need exists for organizations to focus on practical policies promoting efficient business and stimulating innovation. That need must be addressed to keep our world safe from the chaos and harm that exploitation of OSS vulnerabilities can wreak, according to Schlemmer.
The absence of government action in fostering more open-source collaboration is a big part of any software security solution. In 2022, the U.S. Congress received a bill addressing the need for greater government action to foster and secure open-source software. It has not had any action, she complained.
“Open source is not as secure as it needs to be,” warned Schlemmer.
By comparison, the U.K. Parliament is strides ahead of stalled efforts by U.S. government officials to foster better oversight regarding securing open source and artificial intelligence, observed Schlemmer.
She thinks the U.K.’s more proactive steps have created some potential blueprints on how governments can encourage cooperation. Establishing policies to foster working partnerships aligns with the collaborative nature of the open-source community.
“I would also like to believe that the nature of governments is to be collaborative, to listen to their constituents, and to do what is best. Obviously, security is paramount for all of us using technology. So, how do we have those conversations?” she asked.
Looking for Help Before Worse Things Happen
Despite her strong views on fighting for better open-source safety standards, Schlemmer is not positioning Percona to be a cheerleader for partnership action. Instead, she would like to see companies benefiting from open source become more involved in safety collaborations.
“We are not leading the charge. I am not leading the charge,” she insisted.
Schlemmer does, however, pay attention within her company to steer the right people into getting involved with different organizations engaging that explicit mission. That helps the company’s mission of servicing its users and customers be more successful with open source, she argues.
“We believe in using open source to accelerate innovation for everyone everywhere, specifically in the open-source database space. So, I can tie this into our mission, but that’s not my goal,” Schlemmer clarified.
She wants to see a universal sense within business and industry for the need to collaborate through partnerships to proactively innovate safely. The alternative is waiting for a significant breach fiasco that stimulates a reactive response of rushed government mandates that impose limitations on innovation and open-source developers.
Schlemmer explained that it is about connecting the dots and linking them to topics that garner attention in conversations about big tech, big tech companies, and constituent interests.
“How do we weave it into some of those conversations because the large tech companies are a mix of doing closed source and open sources? All of them have open-source software,” she added.
Two-Fold Goal for Collaboration Expansion
Clearly, there is a need to educate workers and company leaders about open-source standards. Schlemmer wants the industry to ensure safety guidelines exist for both closed and open-source code.
“Closed and open source considered equally should be a paramount goal so that we have mechanisms to move more quickly,” she added.
Funding must be considered. Schlemmer ponders what the financial support picture looks like. The tension between private industry and public communities always exists, so that is a larger conversation to have.
“It starts with education, setting standards, and making sure that there is a more level playing field for everybody in tech,” said Schlemmer.
With AI and other innovative advancements in open source, organizations are again caught up in “the speed of technology” development cycles.
“How do we make sure that we are all eyes wide open?” Schlemmer asked about safeguarding the new technology directions software developers face.