Log4j hack raises serious questions about open-source software
The world runs on open-source software. What began as a crazy-sounding experiment — letting voluntary, self-organising communities write and maintain widely used pieces of software — has turned into a central part of the tech landscape. The average application these days includes more than 500 open-source components.
So it’s more than a little alarming to discover that, more than two decades into the open-source era, glaring security holes sometimes surprise even the experts.
In the open-source world, the old management methods don’t apply. It takes new social and market incentives to ensure quality and safety. At a time when blockchain technology is opening the door to a new wave of decentralisation in tech, it’s a stark reminder that self-organising communities don’t always guarantee the wider good.
As Jim Zemlin, head of the open source Linux Foundation, puts it: “In a decentralised, distributed world, who are you going to fire?”
The latest wake-up call came with last week’s revelation about an obscure but widely used piece of software called Log4j. The program’s mundane job is to keep records of how online services and applications are being used. But this harmless-sounding piece of software has suddenly become the biggest threat to online security in a decade, after hackers launched more than 1m attacks on computers around the world through a previously unnoticed vulnerability.
Log4j is maintained by part-time developers whose day jobs are at companies such as Palantir and Oracle. It is not the kind of glamorous, high-profile project that gets most attention, so it has not attracted significant outside funding. One developer tweeted that he had only three individual financial sponsors.
If an orphan software project like this could be sitting in the heart of the world’s internet infrastructure, how many other potential time-bombs are out there?
That is an uncomfortable question at which no one seems willing even to hazard a guess. The open source Apache Foundation, under whose banner Log4j was released, itself has around 350 different open source projects. Code such as this is bundled together with many other components to make the applications that customers ultimately buy — meaning many organisations that rely on programs such as Log4j probably don’t even realise they are using the software. An effort to bring more transparency and control to this open-source supply chain has only recently been launched.
The Apache Foundation has had a black eye like this before. One of its projects, called Struts, was responsible for a breach at Equifax, which led to one of the biggest thefts of personal records.
This does not mean open-source software is inherently less secure than the proprietary kind. It is just different. And working out how best to manage the differences is still a work in progress.
One question involves incentives. In his seminal book published at the start of the open-source era, The Cathedral and the Bazaar, software developer Eric Raymond made the case for why the transparency of the software makes it theoretically easier to find flaws: “Given enough eyeballs, all bugs are shallow.” But what incentives are there for those eyeballs to be trained on programs such as Log4j?
One concern is that the financial rewards for writing safe code and identifying flaws are too low. But this may be a red herring. The most critical open-source projects are already maintained by full-time developers working inside companies who rely on using the code in their own products, according to Chris Wright, chief technology officer at IBM-owned Red Hat.
Others say big companies have plenty of cash available to back open-source developers. The problem is rather that it is hard for them to find and engage with the many small groups involved. At the same time, volunteer programmers often don’t need the cash and would rather be left alone to write code their own way, without the risk of interference.
If more money isn’t the answer, then other forms of support are needed, along with social incentives that encourage developers to focus more on secure coding techniques. The bad publicity of failed projects such as Log4j should provide a salutary wake-up call.
The Apache Foundation, like other open-source groups, leaves it to individual groups of developers to run and fund the projects that appear under its banner, providing them with things such as infrastructure and legal support. But it lacks the resources of some other groups such as the Linux Foundation, whose 300 employees are involved in things like running training courses for developers and writing software tools used to maintain code quality. More developers need to turn to support like this.
Open-source developers value their independence. But their software now has a central place in business and society, and this world-changing experiment needs to be brought up to date.
richard.waters@ft.com