The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.
“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security.
“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in maintaining the code],” the Foundation said, noting that any future directives must “avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”
The foundation’s statement comes on the heels of the ongoing Apache Log4j incident where a remote code execution vulnerability in a little-known Java-based logging utility led to a global incident response crisis.
The ASF described the Log4j vulnerability as “an unfortunate combination of independently designed features within the Java platform” and argued that disabling antiquated and unnecessary default features would have prevented the issue.
“One of the most valuable things businesses that use open source can do is contribute back. Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn’t sufficient. We eagerly welcome audits and fixes from any source,” the Foundation said.
The ASF also used its position paper to criticize businesses for poor patch management practices that leave gaping holes exposed long after patches are released.
“Log4j and HeartBleed are being used as examples of open source vulnerability risks but it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently. What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations,” the ASF said.
“While part of the solution may be to ensure companies know what they’ve included in their supply chain, they will also need to have processes for rapidly handling and disclosing vulnerabilities in their dependencies. Users of open source software also need to keep track of lifecycles and ensure the projects they are using are still getting security updates,” it added.
“We can’t fix open source supply chain issues by focusing exclusively on the upstream producer,” the group warned, noting that even perfect software releases can take years to be adopted and deployed by downstream providers.
The ASF is considered one of the largest open source organizations in the world, managing hundreds of widely deployed projects that include Apache Hadoop, Apache Tomcat and Apache Cassandra.