Survey Finds Compensation Drives Better Open Source Software Security Behavior
DevOps.com, Friday, September 27th, 2024
A survey of 400 maintainers of open-source software projects suggests IT organizations should be paying a lot more attention to the degree to which the stewards of these projects are compensated before downloading software components.
Conducted by Tidelift, a provider of a platform that is used to compensate maintainers of open-source software projects, the survey finds that paid maintainers of open-source software projects are 55% more likely to implement critical security and maintenance practices than unpaid maintainers.
The top security practices implemented by paid maintainers include two-factor authentication (76% compared to 68% for unpaid maintainers), static code analysis (75% vs. 59%), providing fixes and recommendations for vulnerabilities (70% vs. 54%), security disclosure plan (66% vs. 43%), secrets management (58% vs. 39%), and signed release and published artifact provenance (50% vs. 28%).