Open-source software has always been more secure than proprietary software, but that doesn’t mean it’s “secure.” To lock it down, we need to invest serious cash in developers and maintainers.

You may have noticed that a lot of people are getting seriously cranky about open-source software security lately. They have a reason. Our screw-ups have been making the news a lot lately.

To name but a few, there was the ongoing Log4j vulnerability fixups; the npm bad code injection fiasco; and you haven’t heard the last of the Linux PolKit security hole since many embedded systems will never be patched.

So, what can we do about it? First, as I like to remind people, if you think open-source security is bad, that’s only because you never hear about the security by obscurity blunders of proprietary software until they explode or they’re patched. Just look at Microsoft’s endless Patch Tuesday problems where the fixes can be as bad as the original problems.

But, just because closed-source developers have their problems doesn’t take away from our foul-ups. On the open-source side of things, we need to do better soon.

The bill comes due: Securing open-source software isn’t going to be cheap. More>