HeroDevs this week revealed it has joined the Commonhaus Foundation as the founding member of the Open Source Sustainability Initiative (OSSI) after establishing partnerships with the open source Hibernate, Jackson, and Quarkus communities to provide commercial support for older versions of these frameworks.
OSSI is a framework administered by the Commonhaus Foundation through which governance of open source software projects is provided.
HeroDevs COO Rob Nalen said the provider of end-of-life support services for open source software sees a clear need to work more closely with maintainers of open source projects that don’t have the resources required to support enterprise IT organizations that for one reason or another are not able to upgrade to the latest version of an open source software framework in a timely manner.
The alliance between HeroDevs and the Commonhaus Foundation, in effect, buys enterprise IT teams, especially if they operate in highly regulated industries, the time they need to eventually make that transition, he added. Over time, HeroDevs also plans to extend the level of support it provides across the other projects that are governed by the Commonhaus Foundation, noted Nalen.
Enterprise IT organizations have for many years now included massive amounts of open source software in their applications. The average enterprise application today has 911 open source components, said Nalen. Unfortunately, they now face a significant dilemma in the age of artificial intelligence (AI). The latest generation of frontier AI models are now able to discover thousands of vulnerabilities in legacy software that, if exploited, could wreak havoc.
The challenge is that once those vulnerabilities are publicly disclosed, it’s also been shown that malicious actors can use AI tools to reverse engineer an exploit in a few hours.
In some cases, DevOps teams might decide to use an AI coding tool to create custom software of their own that replaces the function they once relied on an open source component to provide for. The issue then becomes the amount of time and effort that will need to be allocated to maintaining those custom components. Alternatively, HeroDevs is making a case for relying on an external service provider to maintain open source software on behalf of enterprises that would rather dedicate their limited resources to building and deploying new applications or adding features to an existing one.
Of course, there may not be a single right answer given the volume of dependencies that exist in applications. The decision to replace a component versus relying on an external service provider to support and maintain it will be heavily influenced by just how critical it is to the business. The one thing that is certain is that even in the age of AI coding, it would take possibly years to replace every single open source component that needs to be maintained and secured.
As such, the real issue is determining what to prioritize given the high probability that any number of applications are about to be compromised in the weeks and months ahead.