Open source code has exploded in popularity and become an essential building block for modern software (as it can dramatically increase the speed and efficiency of software builds). The accessibility and convenience of proven code means that software developers don’t have to waste time and limited resources reinventing the wheel.
However, according to a study my company conducted, open source code isn’t without risk. In fact, the report found higher open source security risks than ever before. Consider this: Most businesses don’t know what’s in their own code.
For founders, this can present quite the dilemma. Amid an economic downturn and ensuing layoffs, software startups are leaner than ever. Those that were previously flush with funding now have their backs to the wall. With this in mind, startups can’t be faulted for supporting the rapid pace of their software development by relying on open source code — an efficient and effective but inherently risky approach if done without proper management.
The report found that high-risk open source vulnerabilities increased at a staggering rate over the past five years (557% in the retail and e-commerce space alone). On top of that, there was a disturbing lack of security patching and maintenance of project dependencies (91% included outdated open source components).
So, with software security and investor dollars on the line, what can founders and budding entrepreneurs do to stay competitive, while contending with tightening pockets and fewer staff?
Don’t be a trendsetter
Founders take many risks when launching their startup, but source code should not be one of them. No matter what industry you’re in, it’s important to remember that every company is a software company, meaning that your code will represent a significant portion of your business’ value. When evaluating where to source your code, don’t take the road less traveled.
As users of open source, we have a responsibility to ensure it is properly vetted, managed, and maintained within the software it composes.
While it’s nice to assume that open source maintainers all have good intentions and are equally capable of writing code, that’s unfortunately not the case. It’s safer to choose well-known code platforms — for example, founders would be wise to select open source components from robust, popular communities like GitHub and GitLab.
Reputable and well-established open source communities can provide the visibility and metrics necessary for teams to properly evaluate the security and quality of projects. For example, using a project hosted on GitHub enables you to see development and commit activity, as well as peruse the profiles of the project owner and maintainers. This is opposed to blindly leveraging a package downloaded from a mirror site, where you have no insight as to what is in it, and who you’re downloading it from.
Best of all, because open source code is free, it costs nothing to go with the higher-quality platform that can speed development while protecting your company.