Part of the cost of developing software is ensuring that it remains free of security vulnerabilities. Software engineers frequently review lines of code to ensure that the code is up-to-date, executing correctly and that patches have been applied to any identified vulnerabilities. For both proprietary code and open source software (OSS) code, the exercise of curating the lines of code in a software estate is costly but important; ensuring that the software remains secure and otherwise fit for commercial purposes.
With many still unfamiliar with the differences between maintainers and curators, this article discusses the key differences between software (particularly OSS) curators and maintainers; why the role of a curator is so important; and whether UK organisations should begin to consider contracting for specific code curation services.
Key takeaways
- Using poorly maintained code or code that has not been curated may expose organisations to unnecessary security vulnerabilities.
- The role of a curator is different to that of a maintainer. Whilst the role of maintainers may be more reactive, curators take a more proactive role in maintaining security of software packages.
- With organisations increasingly dependent on software packages that are not curated, we anticipate that there may be an emphasis on code curation over the coming years. We are seeing this already emerging in the US, in part due to President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity1, which has focused attention in the US on securing software supply chains.
Why does it matter?
Organisations should be aware of the potential security risks posed by poorly maintained and curated critical code in their software estate (whether it is OSS or proprietary code). This issue is particularly relevant for the vast number of UK enterprises that integrate OSS into their software estate. Based on data collected by Open UK: the value of OSS in the UK in 2023 was estimated to be 27% of the tech sector (approximately £13.59 billion); and 44% of companies intended to increase investment in OSS (equating to approximately £225.2-£326.6 million planned UK investment in OSS)2 in 2023.
We anticipate that for UK organisations using OSS, the role of maintaining and curating their codebase – and demonstrating that this has been done – will become increasingly important.
Key differences between software (particularly OSS) curators and maintainers
What is a maintainer?
OSS projects often have participants who contribute at all levels. Unlike an ordinary contributor, maintainers steward and lead the OSS project. The maintainer role can be likened to that of a stagehand for a blockbuster Hollywood movie or a multiplatinum selling musician: they act behind the scenes but, without them, the main show (i.e. the open source project) would fall apart.
A maintainer, or group of maintainers, will sit behind each major OSS package or repository attempting to ensure the long-term usability, security, and reliability of the OSS, typically by fixing bugs and reviewing code written by contributors.
Maintaining software packages requires constant surveillance coupled with regular patches when security vulnerabilities are identified. Approximately 70-90% of proprietary software contains OSS components3 and around 30% of OSS packages do not have an active maintainer (or group of maintainers) pushing through updates and patches. If not found and fixed, vulnerabilities can have catastrophic effects, including leaving organisations open to cyber or ransomware attacks. Such attacks may result in significant financial losses, not to mention serious reputational damage.
A vital, yet thankless task
Maintainers perform a crucial role in the OSS community and often have to maintain dozens, if not hundreds, of OSS packages; however, a large percentage of OSS maintainers do not get paid. If there is a substantial security vulnerability in an OSS package the maintainers are usually the first port of call.
The maintainer(s) are often subject to a barrage of issue notices4 from other OSS contributors, requiring them to reactively patch lines of code in the OSS package. On an average day, a maintainer could receive between 50-100 issue notices. This can lead to maintainer burnout and OSS packages not being maintained properly, particularly since maintainers may spend the majority of their time responding to issues, rather than coding themselves.
The pressure maintainers can come under was evident when a security bug was found in the Log4j OSS package. Log4j is a fundamental building block used in creating new software and acts as a ‘software library’. It is maintained by a logging services team at the non-profit Apache Software Foundation, which at the time of the Log4j incident was made up of 16 unpaid volunteers spread across the world. In December 2021, when a security vulnerability was found and Log4j went down, millions of computers were affected. This put enormous pressure on the (unpaid) maintainers who worked tirelessly over the weekend to patch the vulnerability. Below is a Tweet (now X) from one of those maintainers (at the time), which gives an example of the pressure felt by maintainers.
What is a curator?
Whilst the role of maintainers is more defined, the role of a curator (for OSS or proprietary code) is less clear. Curators aim to improve the software supply chain by actively pruning and vetting software packages. Whereas maintainers act more retrospectively in finding and fixing security vulnerabilities, a curator’s role is to proactively find and fix vulnerabilities. They will also update old dependencies and track new ones. Both maintainers and curators mitigate security vulnerabilities, but the role of the curator is predominately focused on improving long term security of the software package.
Why the role of a curator is so important
Why should organisations consider curation?
Code curation has two clear advantages to organisations: (i) it is a preventative robust security measure to find and fix vulnerabilities in the software estate (both proprietary and OSS); and (ii) it could reduce overhead costs associated with hosting and storing large software estates as it may reduce the number of lines of code in the codebase.
For any organisation wishing to maintain their software estate, manual code management will require significant time and resource. Curators (which can be third parties) will handle the manual management of code and simplify lines of code within a program. They can implement customised code such that users do not have to manually implement each update. They can also add useful code prompts, for example nodes, so that in the event of individual code failure such failures can be easily found and fixed.
Do curation services already exist?
We are aware of some large tech companies that are already curating their own software estates. This however may not be possible for smaller organisations, or for organisations that do not have a clear picture of their software estate. Software curation services are not yet offered by ‘Big Tech’ but this is an area where we could potentially see other software companies filling the gap and engaging in this area.
Despite code curation services not being readily available on the market, curation does already exist in some form. Some open source packages come with supported versions of Linux or paid versions of Apache Spark (a popular open source system). Google has also developed an open source curation service named Assured OSS, which scans, analyses, and fuzz-tests more than 500 Java and Python open source packages for security vulnerabilities and updates them as needed before making them available to cloud developers.
In addition, the company JFrog offers a type of curation service. JFrog Curation allows companies to strengthen their software supply chain by analysing open source packages to identify and eliminate operationally risky, malicious or vulnerable code. It prevents packages with potential security or licensing problems from being downloaded from open source repositories, providing greater transparency over third party downloads and protecting an organisation’s software ecosystem. This is a step in the right direction however JFrog does not offer bespoke curation services.
Should UK organisations consider contracting for specific code curation services?
Is contracting for curation on the horizon?
Many organisations have a growing software codebase with limited understanding of where the code has originated from or how the code fits together.
We anticipate that the tech community will continue to seek solutions to the growing need for software security, creating a gap in the market for vendors to offer bespoke curation services to organisations with software estates of all sizes. For example, curators could be paid to proactively monitor software packages, maintaining and updating the source code to improve security and ensure it remains fit for purpose. Curators could also reduce the number of lines of code by simplifying code, removing outdated or duplicative lines of code or updating programming languages which in turn could streamline the organisation’s software estate and save costs, especially in relation to cloud hosting.
If an organisation seeks to engage a vendor to curate its software estate then, in the same way customers should approach contracting with third parties for any service, risk should be allocated and contracts carefully agreed on a case-by-case basis. In such contracts, there are likely be a myriad of contractual obligations that vendors would have to comply with, for example relating to security and code maintenance. Vendors would also be subject to an obligation to supply their services with reasonable care and skill. Specific care should be given to the indemnity wording and limitations of liability to ensure risk is appropriately managed. Customers may spend hours negotiating specific service levels with third party providers but if there are broad exclusions that relieve a supplier from liability for the curated code (e.g. finding and fixing vulnerabilities, simplifying the codebase and/or pruning out any unsupported legacy code), then the risk for liability and responsibility for curation would unsatisfactorily remain with the customer, not the curator.
Practical recommendations
In practice and to mitigate the risks associated with security vulnerabilities in the software estate, we generally recommend that an organisation:
- conducts a software audit and identifies key dependencies, including any OSS components and applicable OSS licences;
- identifies the breadth and width of its software estate including any key software programs relating to the operations and revenue of the organisation which should be the initial focus for any curation services. For example, an online retailer may conduct a software audit and identify business critical software components in the consumer’s online ordering journey. Security vulnerabilities and down time due to these components being corrupted could significantly impact sales and affect the organisation’s profits, and should therefore be highlighted as priorities for curation; and
- engages in curating its code base to simplify and streamline its core software and proactively resolve potential security vulnerabilities.
Conclusion
It is important that UK organisations identify the risks inherent in their software estate, engage properly with maintaining and curating their codebase and employ good practices to mitigate key risks. The roles of maintainers and curators are vital to achieving a secure software estate and ensuring that UK organisations utilise their proprietary and OSS codebase.
Code curation shows great potential to enable organisations to mitigate the risks associated with their growing (and sometimes unwieldy) software estates that may contain poorly maintained software packages or unsupported legacy code. Organisations looking to curate their software estate may reduce their exposure to security vulnerabilities, reduce software hosting and cloud storage costs and make their codebase more secure.
We anticipate that code curation will be an up-and-coming trend for 2024 and beyond. Organisations should therefore ensure they get ahead of the curve and begin to consider curating their software estate.
1Executive Order on Improving the Nation's Cybersecurity | The White House.
2State of Open: The UK in 2023 Phase Two, Part 1 ‘Show us the Money - The Economics of Open Source Software’ (published 13 July 2023).
4Pull requests are a GitHub function which allows OSS contributors to propose and discuss potential changes to the OSS package.
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-04-26-12-59-12-475-662ba5204e6fd2dbde5853d5.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-04-26-10-28-04-355-662b81b4d23a6cec5bfb17f2.jpg)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-04-23-08-13-08-767-66276d94160531884bcc6d78.PNG)