Open-source developers say securing their code is a soul-withering waste of time
by Owen Hughes in Developer on December 9, 2020
A survey of nearly 1,200 FOSS contributors found security to be low on developers' list of priorities...
...A new survey of the free and open-source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than 3% of their time on security issues and have little desire to increase this.
A report based on the answers of nearly 1,200 FOSS contributors carried out by the Linux Foundation and Laboratory for Innovation Science at Harvard (LISH) highlighted a "clear need" for developers to dedicate more time to the security of FOSS projects as businesses and economies become increasingly reliant on open-source software...
...responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."...
..."Developers generally do not want to become security auditors; they want to receive the results of audits."...
...The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said. "This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."...
...Most of the respondents to the survey were from North America or Europe, with the majority in full-time employment. Nearly half (48.7%) said they were paid by their employer for time spent on open-source contributions, while 44.02% said they were not paid for any other reason...
...developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used.