In the latest rankings of the open source software ecosystem, there has been a notable reshuffling with open source components dedicated to bridging applications with cloud resources and those written in Python rising to the top of the list of critical packages. This reordering emphasizes the importance of properly funding projects to enhance the security of the software ecosystem.
The “Census of Free and Open Source Software” categorizes open source projects into various top 500 lists based on ecosystem, version information inclusion, and the consideration of direct and indirect dependencies. The most recent survey, known as Census III, revealed a significant increase in the popularity and importance of packages designed for Python software and those facilitating connections between developers and specific cloud services. This surge in relevance underscores the vital role these packages play in software development.
Cloud-native and hybrid development have been prevalent for some time, but cloud providers have recently developed a myriad of software development kits (SDKs) for developers, contributing to the uptick in their rankings as critical software. According to David Wheeler, the director of open source supply chain security at the Linux Foundation, the widespread utilization of these tools has propelled them to the forefront of essential software components.
The third edition of the “Census of Free and Open Source Software” comes after more than two years since the publication of Census II in March 2022, with the initial report being released in 2020 and the original census nine years ago. The primary goal of these data-collection initiatives is to identify the most crucial open source software, enabling both public and private sectors to make strategic investments in projects that enhance software security. Scores for each software package are determined using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Synopsys Cybersecurity Research Center (CyRC).
The integrity of the software supply chain has become a major focal point for the software industry and national governments alike. The Biden administration, for example, has emphasized the need to enhance software security and the open source ecosystem upon which most applications rely in its National Cybersecurity Strategy.
Within the realm of critical software connections to the cloud, the Amazon Web Services (AWS) software development kit for Python, known as Boto3, climbed to fifth place on the list of critical software for “Non-npm, Direct, Version Agnostic Packages,” a substantial leap from its previous ranking. Similarly, other cloud-centric packages, such as the SDK for connecting Go programs to Google Cloud and the AWS kit for .NET, also experienced significant advancements in the rankings, underlining the pivotal role of open source software in supporting cloud service infrastructure.
The shift away from outdated software is a critical focus area for eliminating vulnerabilities in software. The slow transition from Python 2 to Python 3 over the last decade has highlighted the importance of projects like “Six,” designed to facilitate compatibility between code in Python 2 and Python 3. As the adoption of Python 3 continues to grow, tools like Six become essential for developers needing to integrate older code with newer Python programs.
While Census III findings can be accessed from the Linux Foundation, it is imperative for companies to automate package management, conduct regular testing, and update their software consistently. The key takeaway from the census is not only to identify which packages warrant attention but also to determine which projects require additional funding and paid maintainers to ensure the sustainability of the open source ecosystem.
In conclusion, the evolving landscape of open source software underscores the critical need for continued investment and support to fortify the security and functionality of the software ecosystem. As dependencies on open source components grow, it is essential for organizations to prioritize the maintenance and funding of critical projects to safeguard against potential security threats and ensure the longevity of the software supply chain.