Researchers at the Laboratory for Innovation Science at Harvard University (LISH) have conducted an unprecedented census of free and open-source (FOSS) software packages. This comprehensive study aims to address the industry’s challenges in safeguarding against major vulnerabilities, such as Heartbleed and Log4shell, which have previously exposed weaknesses in widely used open-source projects. By identifying the most commonly used FOSS libraries, the study provides critical insights for enhancing the security and reliability of these foundational technologies.
The census is particularly timely as the technology industry grapples with the risks associated with the pervasive use of open-source software in critical enterprise and government systems. Open-source software has become integral to many applications, but its decentralized nature presents unique challenges in ensuring its health, security, and economic value. Recent high-profile incidents have underscored the need for better oversight and understanding of these software components.
The research focuses on the application library level, analyzing data from more than half a million observations of FOSS libraries used in production environments across thousands of companies in 2020. By aggregating this extensive data, the census provides a clear picture of the most frequently deployed libraries, offering a roadmap for prioritizing resources to secure them. The findings highlight the critical role these libraries play in modern software development and the need for collaborative efforts to maintain their robustness.
“FOSS has become a critical part of the modern economy. There are tens of millions of FOSS projects, many of which are built into software and products we use every day. However, it is difficult to fully understand the health, economic value, and security of FOSS because it is produced in a decentralized and distributed manner,” the report states. By shedding light on these complexities, the census equips stakeholders with the knowledge needed to foster a more secure and sustainable open-source ecosystem.