While much of this software is written by employees of tech companies whose products rely on open-source code, the developer community is decentralized, often poorly resourced and typically more focused on adding new features than securing existing ones. But amid the urgent push to patch vulnerable devices, open-source security specialists say recent advances will make future catastrophes less likely — especially if this work gets a boost from the federal government.

“There’s now a lot more scrutiny over the software,” said David Wheeler, director of open source supply chain security at the Linux Foundation. “We’ve got a lot of folks who have decided that this is important enough that they’re going to invest real time and money and people.”

Cyber professionals have called for this kind of heightened attention for years, especially after a massive encryption vulnerability called Heartbleed discovered in 2014 was traced to flaws in the open-source encryption library OpenSSL. At the time, security advocates complained that major tech companies had done too little to support the handful of developers who maintained OpenSSL, mainly in their spare time.

Such complaints surfaced again after this month’s discovery of the Log4j flaw.

Still, over the past year, several high-profile efforts to shore up the security of open-source code have hit their stride, mostly under the auspices of the Linux Foundation’s Open Source Security Foundation. The group has published a guide to help software developers disclose vulnerabilities and coordinate with organizations that depend on their code, a scorecard that can automatically assess a software project’s security posture, a framework for building anti-tampering protections into code and a service that issues security certificates to help developers prove their software updates are authentic.

“It’s about setting an expectation … for, what does it mean to be secure?” Brian Behlendorf, the Open Source Security Foundation’s general manager, said of these initiatives.

Some tech giants have stepped in to help. Google has pledged $100 million to groups focused on improving open-source security. “We’re looking, through foundations and through financial support, to find ways to help [developers] do the right thing,” said Eric Brewer, Google’s vice president of infrastructure and a founder of the Open Source Security Foundation.

But security specialists say the fragmented and under-resourced open-source community also needs major help from the federal government to find and fix flaws in overlooked pockets of widely used code.

“It’s amazing how much of the core critical software out there is actually not that complicated [and] does not require big development teams,” said Behlendorf. Grants of $50,000 or $80,000 to pay a few people for a few months “could make substantial differences,” he said.

Allan Friedman, a senior adviser and strategist at CISA, agreed that the government has an important role to play, especially given its ability to see the big picture of how and where open-source code underpins critical systems.

The federal government has “a very global view of software,” Friedman said. “We can help prioritize what are the projects that are critical to the national mission and also where we may not have enough existing resources.”

Supporters of the open-source model have long touted its security advantages over proprietary, closed-source software, saying the ability to publicly share code and collaborate on fixes makes it easier to address vulnerabilities that might otherwise go undiscovered. Open-source software has become omnipresent throughout the internet and a host of computing systems, including in major products like Apache’s web server and the Linux family of operating systems that also forms the basis for Android.

But in practice, Log4j and other similarly ubiquitous open-source libraries often receive little dedicated scrutiny and maintenance, allowing flaws to remain hidden for long periods of time.

And while some foundations receive significant financial support from businesses that depend on open-source code — Behlendorf said carmakers “care quite a bit about all this” — others operate on shoestring budgets.

Federal agencies rely heavily on open-source code, so funding security overhauls targeted at specific software packages would be in the government’s direct interest.

“This is an important critical infrastructure,” Brewer said, “and it needs the same kind of support as all other critical infrastructure.”

Two other solutions will require a combination of federal and industry efforts.

The Log4j emergency shined a spotlight on federal efforts to create a standard approach to a feature called a software bill of materials, a digital ingredient list that would help users of software understand the provenance of its code. By reviewing these ingredient lists, organizations could figure out whether they’re using software that contains vulnerable code.

But few companies maintain accurate and comprehensive inventories of their software, or possess the technology to automatically process the ingredient lists. “It is definitely not a panacea,” Brewer said.

Still, “it’s going to be very difficult to make progress without an SBOM,” said Friedman, who oversaw SBOM work at the National Telecommunications and Information Administration before joining CISA. “Transparency in the software supply chain is going to be critical … to understand where our exposures are, where our risks are and where the opportunities to help are.”

More important than any new technology is teaching new coders about cybersecurity. University courses and online coding platforms “typically don’t talk about” security, Wheeler said. “We are getting exactly the kind of software that we should expect when we don’t teach anybody” how to write secure code and spot bugs.

Congress, CISA and NIST have devoted significant attention to cybersecurity education in recent years. Federal guidance on software security curricula and grants to schools offering it could help improve security literacy.

Despite flare-ups such as the Log4j crisis, the people most closely involved in open-source security initiatives predict major improvements in the ecosystem over the next few years.

“The future is very, very bright,” Wheeler said. “Things are going to get better relatively soon, because of all the attention and effort that people are putting into this.”