What do open source maintainers know about security?

Open source consumers and maintainers were asked about their security expertise.

Open source maintainers give up their own time to create great pieces of free software, which we then use to create business value. However, by consuming these projects we are also relying on these maintainers to keep these projects secure, and failing to do so may even outweigh the value we got.

In a recent survey on the state of open source security (disclosure: I am employed by SNYK, the source of this survey), open source consumers and maintainers were asked about their security expertise, actions and sense of ownership – and the results were very mixed.


One focus area revolved around the maintainer’s expertise. Maintainers were asked to rank their security expertise, ranging from “High” to “Next to nothing.” The results were not encouraging, however, they could be worse. Only 16.8 percent of maintainers ranked their expertise as high. Another 56 percent ranked it as medium, while 26 percent ranked it as low. On the positive side, only one percent of maintainers said they know “next to nothing” about security.

While seeing only one in six maintainers has high security expertise isn’t great, these stats likely reflect the general state of security proficiency among developers (if they’re not a little bit better). It does, however, demonstrate that security savvy OSS consumers should seriously consider contributing some of their expertise back, to help the entire ecosystem gain some of this knowledge and propagate it back.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)