Open-source components (FOSS) are integral to the majority of modern applications, according to the Census III report, jointly prepared by the Harvard Business School, the Harvard Laboratory for Scientific Innovation, Linux Foundation Research, and OpenSSF.
The study encompassed over 12 million observations of FOSS usage across 10,000 companies. By analyzing data derived from automated codebase scans and manual audits, the research delved into both direct usage of open-source packages and their dependencies within software supply chains.
The report reveals that 96% of codebases include open-source components, with a notable surge in libraries optimized for cloud services. While earlier approaches focused on migrating existing software to the cloud, contemporary solutions are now purpose-built to leverage the capabilities of cloud infrastructures.
The authors highlight risks associated with a high concentration of responsibility, noting that 40% of leading projects rely on just one or two developers, who contribute over 80% of the work. This poses significant threats to the security and resilience of such projects. A stark example is the XZ Utils incident, where malicious code was introduced by a new maintainer added through social engineering.
The report also underscores the persistent reliance on outdated technologies. Despite the release of Python 3 sixteen years ago, Python 2 remains in use in 20–30% of cases across certain sectors, exacerbating security vulnerabilities. Experts stress that simplifying the upgrade process and ensuring full backward compatibility could expedite transitions to newer versions.
The rising popularity of the Rust programming language, which has grown by 500% since the last report, reflects a growing emphasis on memory safety. However, the lack of standardization in the naming of software components amplifies security risks, presenting an ongoing challenge.
Initiatives from OpenSSF, such as SLSA and Sigstore, aim to bolster trust in software build and distribution processes. These projects help ensure that the code used in products aligns with its original verified source.
The Census III report highlights significant shifts in FOSS usage and emphasizes the urgent need for innovative strategies to enhance resilience and security in this critical domain.
