Yet even here, the process only works if people follow it. There’s a reason supply chain attacks succeed: Even when a fix for a bug is available, we stink at applying the patches. It’s been 10 years since Heartbleed hit, and there are still tens of thousands of systems that remain vulnerable. Why? Well, it’s non-trivial to effectively inventory enterprise systems, and patching older systems can be complicated.
At an industry level, we can’t really resolve these issues, as they’re specific to each enterprise. However, there are things we can do. The Open Source Security Foundation (OpenSSF) has taken up the challenge to both improve the security posture of open code while also training people on the process of security. This is excellent. For me, it’s one of the most important things that the Linux Foundation, which is the ultimate home for OpenSSF, does.
I’d also point out that this is what open source communities should emphasize, generally. We have a graying open source community, as Steven J. Vaughan-Nichols writes. “If we’re going to change the world for good with open source, we need to grab the attention of people who haven’t turned 30 yet,” he argues. He’s not wrong.