Not where the world is going...where the world is.

Not where the world is going...where the world is.

By: Patrick Masson, Interim General Manager of the Apereo Foundation

February 2022

In my January 2022 post, I shared EDUCAUSE's "Top 10 IT issues for 2022." Those issues reflect the challenges institutions faced in coping with two years of COVID while at the same time managing digital transformation (Dx) initiatives. While Dx predates the pandemic, the COVID crisis amplified its value; digital services aren't simply a replacement for traditional infrastructure or in-person practices--they enable "the education we deserve." As I proposed in my last post, open source software and communities are valuable resources and viable reference models for addressing both COVID and DX's challenges.

Over the next few posts, I'll go deeper, reviewing a few of the issues EDUCAUSE raised and digging into how open source can serve as a tool to address those issues while at the same time facilitating digital transformation.

Let's start at the top of the list:

#1. Cyber Everywhere! Are We Prepared?: Developing processes and controls, institutional infrastructure, and institutional workforce skills to protect and secure data and supply-chain integrity.

The discoveries of security vulnerabilities like Apache Log4j and Heartbleed, combined with stability issues exemplified by the Network Time Protocol and npm Left-Pad, lead many to conclude that open source software and the communities that maintain it are inherently risky. These concerns generally revolve around two assumptions.

1. If the code is freely available, anyone can exploit it.
2. Open source software is developed by amateurs, hobbyists, and part-time volunteers.

Considering these apparent flaws, incorporating open source software and communities to develop security processes and controls, infrastructure, and your workforce might seem risky. However, as anyone who has ever committed a line of code knows, "Software [all software] is written by humans and therefore [all software] has bugs" (John Jacobs), and "security is a process, not a product" (Bruce Schneier). Considering this, the real question is not if open source software is more vulnerable than proprietary options; the question is, what development and maintenance processes provide the best means for protecting and securing data and ensuring supply-chain integrity despite the development methodology or distribution model (again, open source or proprietary)?

One positive impact of Log4j is both industry and government's investment to accelerate and improve security through initiatives like Software Bills of Materials (SBOM). A SBOM lists the open source and 3rd-party components present in a codebase, "a key building block in software security and software supply chain risk management" (Cybersecurity & Infrastructure Security Agency). Open source communities and industry leaders (Google, Microsoft, and many others) are working together to secure the software we all use, including higher education. It is an apparent flaw, that anyone can view the code, that makes the SBOM accurate, comprehensive, and ultimately, trustworthy; access to the code isn't a bug, it's a feature. Transparency and collaboration at this scale--engaging companies, government agencies, and software projects--is only possible through open source principles and practices where everyone can see into and discover issues, and anyone can offer the best solution.

Just as "many eyeballs" facilitates greater security, countering the first assumption above, the number of professional engineers and dedicated developers involved in open source communities mitigates the second. Many of the most active companies are the very same institutions of higher education rely on (see the open source offices at, Adobe, Cisco, Google, Intel, Microsoft, Oracle, Red Hat, VMWare). If campuses are looking to find, recruit, and retain highly skilled technology workers, they should be working with and looking in open source software communities. That is what top tech companies do. That is where talent is.

Because open source software is everywhere, driving innovation across industries, and a core element within almost all software, how institutions engage with software providers to secure their systems and data—open source or proprietary—must change to reflect this standard of open. Interactions will be less of "customer versus vendor" and more of "collaborator and co-creator." To be direct, open source software is not where the world is going; it is where the world is. Institutions of higher education need to prepare themselves to work in and work with the open source community. Understanding and applying the core tenets of open source software within education institutions is now mission-critical because the enterprise applications and services our campuses rely on are themselves dependent on open source software and communities.

You can learn more (or even share your own story) about how open source software and communities enhance security, enable supply-chain integrity, and deliver talent at the upcoming Open Apereo 22. This year's conference invites peers across higher ed and colleagues working in open source communities of practice to share how they leverage open principles and practices to address campuses' top IT issues while successfully driving digital transformation and educational innovation.

Open Apereo 2022 will be held June 14 & 15 - Online