A survey from the free and open-source software community (FOSS) conducted by the Linux Foundation revealed that developers spend less than 3% of their time on security issues.
Moreover, the survey also stated that contributors had no intention of spending more time on security. Indeed, they declared that dealing with security issues was an uninteresting chore and insufferably boring process.
It was then concluded that there was a need to find a new approach to security in order to improve the practices all the while limiting the burden on developers. Indeed, a report from the Linus Foundation and Laboratory for Innovation Science at Harvard urged developers to dedicate more time to security matters, especially as the economy is now more reliant on open-source software.
The report suggested encouraging businesses to spend more efforts in identifying and addressing security issues themselves. Another way could be to have developers trying to rewrite portions or entire components of FOSS projects that could be vulnerable, instead of mending existing code.
It was also found out that the most requested tools from contributors were bug and security fixes, free security audits, and easier ways to have security-related tools to their continuous integration pipelines.
The report stated that developers were mostly interested in finding features, fixes, and solutions to the open-source projects they were working on. As our economy is reliant on free and open-source software, it is vital to understand contributors’ motivation in order to get secure infrastructure and systems.