The future of open source software: More of everything

We have been awash in predictions for weeks now. That’s what we do every time the calendar completes another trip around the sun.

And in most cases, as the year wears on and reality doesn’t always conform to the forecasts, that line from Yogi Berra (if he didn’t actually say it, who cares?) gets more and more relevant: Predictions are hard, especially about the future.

But when it comes to the future of open source software, given the trend lines of the past few years, it seems pretty safe to say that a single word—“more”—will be present in just about everything that happens in 2019.

More mergers and acquisitions following on the megadeals of IBM buying Red Hat and Microsoft buying GitHub. More organizations using more of it. More vulnerabilities, corresponding with more efforts by hackers to take advantage of those vulnerabilities. More licensing squabbles and lawsuits. More Linux everywhere, present in the cloud, the IoT, AI, big data, DevOps and blockchain.

Indeed, the 2018 Synopsys OSSRA (Open Source Security and Risk Analysis) report found that of more than 1,100 codebases audited, 77% of IoT codebases had open source components with an average of 677 vulnerabilities per application. Of all the codebases scanned, 74% had open source components with license conflicts.

Obviously, you don’t need a report to tell you that the IoT is still growing explosively, so all those things will grow along with it.

But “more” doesn’t get to every nuance of how much more, where, and how open source software will inhabit our lives and activities.

What follows are a few open source predictions that get into specifics, from several experts in the field. We’ll check back at the end of the year to see how they did.

From a governance perspective, 2018 was the year of GDPR (General Data Protection Regulation). The nature of application security shifted from being purely application focused to incorporating deployment considerations. With modern applications being a combination of custom code, open source components and third-party APIs, this shift has a profound impact on open source governance. So I’m going to focus 2019 predictions on the realities of open source usage when it is critical to your business operations.

• Organizations no longer have the luxury of performing periodic scans of their open source usage using tools with limited security capabilities. Those don’t come close to meeting the “state of the art” definition required by GDPR Article 25(1).With fines now being levied by data protection authorities, I predict that organizations will broaden their open source governance policies to include reviews of commercial software for open source libraries. Under such reviews, procurement officers can assess a given library or application for unpatched vulnerabilities and effectively embed security into the procurement process.
• Over the years we’ve seen significant press coverage of open source vulnerabilities without proposing a solution. That’s not productive. In 2019, we’ll see a noticeable shift from individuals simply reporting issues to organizations and governments proactively funding remediation activities in critical projects.That shift will improve the overall health and security of projects, which will in turn have a direct impact on reducing risks associated with consuming those projects, and make them friendlier to complex regulatory environments.
• We will see more major open source projects adopt the Commons Clause in an effort to profit from commercial adoption of their efforts. The Commons Clause is a modifier that can be applied to an open source license, converting it into a quasi-proprietary license. It came to the fore when Redis Labs in August 2018 modified the license associated with some of its existing Redis modules to include the Commons Clause. Redis Labs stated this change was made in part as major cloud providers were simply consuming these modules free and then offering them as paid services.

On our end, we recently became an open source voting machine manufacturer—at least for a little bit. We are incubating VotingWorks, which aims to be a completely open source—software, hardware, docs via CC—voting systems manufacturer. This is similar to Los Angeles County’s VSAP (Voting Systems for All People) project, which has already produced a voting machine and intends to make it completely open. They haven’t published any source code just yet, but have fully working prototypes and a large manufacturing contract ($300 million) to get them in front of voters by the 2020 election.

• Open source will continue to grow as we see non-traditional industries like shipping, fashion, banking and manufacturing continue down a path of transformation into software companies.
• The already prolific use of open source software to inject velocity into their programs will continue, and with that we will likely see more headline-making data privacy violations. Mismanagement of open source assets in complex software solutions will cause companies either to suffer a breach or, as we saw at the end of 2018, simply find themselves compelled to reveal self-determined implementation defects that only had the potential for data leakage.At the very least, fear of punishable noncompliance with the EU’s GDPR or other data protection mandates has already provided some much needed transparency. This will continue to improve in 2019.However, while we have definitely seen data breaches that could and should fall under GDPR, we have yet to see how the EU will respond. The industry may have to wait until 2020 for 2018’s cybersecurity blunders to play out before we gain any real understanding of what GDPR enforcement looks like.
• The downside of a stress on compliance in 2018 and 2019 is that many companies won’t necessarily change or appropriately increase budget for cybersecurity but may just reallocate it to ensure better GDPR compliance. This could mean less emphasis on industry-guided or metrics-focused cybersecurity efforts like the BSIMM (Building Security In Maturity Model) that, while they could be less directly focused on compliance, would be more effective in creating long-term security.
• 2019 should hopefully see some improvement in the maturity of IoT devices as new efforts like the OWASP IoT Top 10 are reaching manufacturers to guide their software development practices.An encouraging feature of 2018 was the increased focus on DevSecOps and the growing awareness, if not adoption or understanding, of what it truly means. We hope to see fresh initiatives in software development experiment with security as an integral part of the pipeline.