At the 2022 Open Source Summit in Austin, Tx, The Linux Foundation, the leading open source, non-profit group with its partners, and Snyk, a leading developer security company, released their first joint research report, The State of Open Source Security, uncovered worrying news. 41% of organizations are not confident in their open source software security. Worse still, not even half, 49%, even have an open source security policy.
True, open source software is inherently more secure than its proprietary rival. After all, you can look at open source code to see if there are any problems, while proprietary programs are a riddle wrapped in a mystery inside an enigma.
But, as recent open source security holes such as Log4J and colors.js, and faker.js have shown, just because the problems can be sought for doesn't mean they'll be found -- especially if no one's looking for them.
Eric S. Raymond, an open source founder, famously said, "Given enough eyeballs, all bugs are shallow." But, "Linus's Law" only works if someone is actually looking. If no one is, then you're still open to attack. Or, as with Log4j's vulnerability, we know about the problem, the fix is in, and months later, we still have tens of thousands of vulnerable programs. Why? Because users simply aren't paying attention. This is just asking for a disaster.