Recent vulnerabilities such as Log4j2 have called attention to the challenges of securing open-source software, which is used widely by tech companies and other industry enterprises. Google will release the security-vetted versions of open source software packages that it runs itself for industry and government use.
The online giant analyzes, patches, and maintains its own versions of open source software, and now the company plans to give others access to its libraries and components as a subscription.
Developers opinions of security and secure coding calling it a soul-withering chore and an insufferably boring procedural hinderance highlight that companies who want to harden their applications against attacks have a significant gap between those desires and getting their own developers on board, says Frank Nagle, a Harvard Business School professor and contributing author to the report analyzing the survey results. It appears that this shifting left has not fully pervaded the minds of FOSS developers, he says. Although we did not specifically ask whether developers think security is important, they likely understand that is a concern, but believe others should deal with it.