Technologists and global policy makers gathered at the United Nations in New York City last week for a two-day conference focused on the potential benefits of open source software (OSS) in delivering affordable technology to underserved nations, particularly in Africa and beyond. The conference highlighted the importance of security in tandem with app development to fully realize the promise of OSS.
Philip Thigo, a special envoy on technology for the government of Kenya, emphasized the role of OSS in enabling more people to engage in coding activities and application development. Thigo pointed out that platforms like GitHub have significant developer participation from African countries such as Kenya and Nigeria, demonstrating the inclusive nature of OSS in the digital era.
“In the era of sustainable development goals, where we must end extreme poverty but also leave no one behind … open source almost becomes intrinsic or integral to everything that we do,” Thigo shared with attendees at the UN’s Open-Source Program Officers for Good 2024 conference on July 9.
However, to achieve these goals, Omkhar Arasaratnam, general manager of the Open Source Security Foundation (OpenSSF), highlighted the critical need for security within the OSS ecosystem. Arasaratnam stressed that while OSS can foster community and innovation, security must be a foundational element to prevent vulnerabilities and risks.
Arasaratnam pointed out that many OSS maintainers and project contributors, especially in Africa, face challenges due to limited funding and resources for security measures. In some cases, projects are maintained by a single individual, making them susceptible to targeted attacks and exploitation, as demonstrated by the coordinated attack on the XZ Utils project.
The incident with XZ Utils underscored the importance of supply chain security and the need to support under-resourced projects to prevent similar breaches. Arasaratnam highlighted the role of tools like Scorecards in identifying project vulnerabilities and social engineering efforts, emphasizing the need for greater resources and support for OSS maintainers.
To enhance the security of the open source ecosystem, companies are encouraged to leverage tools like software bills of materials and software composition analysis software to manage and verify the components used in their applications. Additionally, education and training programs, such as the free course LFD 121 offered by the OpenSSF, aim to equip developers and engineering managers with the knowledge and skills to produce secure code.
The OpenSSF is also collaborating with organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to identify critical OSS projects and develop tools like Sigstore for validating software security claims. By securing repository platforms like PyPI, RubyGems, and npm, OpenSSF is working to safeguard the open source packages that form the foundation of modern technology.
Overall, the conference highlighted the transformative potential of open source software in driving innovation and inclusivity in technology, emphasizing the critical role of security in protecting the integrity and reliability of OSS projects worldwide. The collective efforts of technologists, policymakers, and industry leaders are essential to creating a secure and sustainable open source ecosystem for the future.