Health and Security Management in Open Source Software

(For research outputs and activity, see bottom of page)

Open Source Software (OSS) makes up a pivotal part of our common digital infrastructure, both considering industry, and society at large. As with our physical infrastructure, like roads and bridges, the digital infrastructure requires continuous maintenance to stay secure and robust. In terms of OSS, this maintenance is carried out openly in communities by its users under a common vision.

If this maintenance is not kept to a high standard or would be disrupted, there is a risk that vulnerabilities can be introduced (consciously or not) that in the worst case can be exploited by a third party. A commonly referred to example is Heartbleed, a vulnerability that was discovered in the crypto library OpenSSL in 2014 but introduced already in 2012. The vulnerability enabled access to personal crypto-keys, and by extension the information it was meant to protect.

Through the HASMOSS project, we aim to enable Swedish industry, but also society at large, to analyze and manage the risk of vulnerabilities being introduced in OSS. More specifically, we will look at the health of the OSS projects, i.e., their ability to stay viable long-term and maintain the OSS to a high standard without interruptions. By analyzing the health, (potential) users of the OSS can evaluate whether to use or continue using the OSS. It can further enable them to proactively improve the health of an OSS project and thereby lowering the risk of vulnerabilities being introduced. As a second deliverable, we, therefore, aim to develop guidelines for such activities.

The main goal is to enable the Swedish industry to use and collaborate on OSS in a secure and sustainable manner. Sharing maintenance, open innovation, and new business models are some of the positive effects that can follow and help to improve the competitiveness and digitalization of the Swedish industry.

Research outputs and activity:

• Research output:
  • Linåker, J., Papatheocharous, E., & Olsson, T. (2022). How to characterize the health of an Open Source Software project? A snowball literature review of an emerging practice. In The 18th International Symposium on Open Collaboration.
  • Supplementary material including full data set: https://doi.org/10.6084/m9.figshare.20137175
• Presentation
  • Literature review presented at OpenSym 2022 and LF Open Source Summit Europe 2022.

For slides and paper, see files below.