Blog Overview
Published on: 04/2025

More IT Security Through Open Source: Why Businesses Must Invest in Their Dependencies

Modern business infrastructure increasingly relies on open-source software. While many companies recognize the economic benefits of open source, the security risks tied to open-source dependencies are often overlooked. In an era of escalating cyber threats and data leaks, the key question becomes: Can open source offer better security than proprietary software?

Recent studies – such as the "Census III" report by the Linux Foundation – clearly show that investing in open-source projects not only strengthens IT security but also reduces risk and saves costs in the long term.

The Invisible Threat in Your Digital Infrastructure

Most businesses use open source every day – often without knowing it. From web servers and encryption libraries to container technology, open source is everywhere. It’s flexible, cost-effective, and fast to deploy. But here’s the question few ask: Who’s responsible for keeping it secure?

The reality is both surprising and alarming: many of the world’s most critical open-source components are maintained by individuals or small volunteer teams – often with no budget, no audits, and no dedicated security staff.

The Census III study revealed just how fragile this situation is: some of the most-used libraries on the internet depend on a single maintainer. A single failure, a critical vulnerability, and tens of thousands of systems could be compromised.

For businesses, this is a risk that's rarely on the radar. But it should be. Open-source security doesn’t happen by accident. It requires awareness, participation, and investment.

Why Businesses Need to Start Investing in Open Source

Many companies assume they don’t use much open source. In reality, they’re standing on a foundation they don’t even see – and that could collapse with the slightest shake.

Log4j was one such shake. A small Java logging library, used by millions, quietly running in the background – until it wasn’t. Suddenly, there was a critical vulnerability. Emergency patches, frantic scans, and hasty updates followed. And what did some companies do? They threatened legal action against the maintainers. Against a project they’d never supported, never reviewed, never even acknowledged. Software they had never invested a single cent in, but had relied on for years.

This highlights a broader problem: a deep misunderstanding of how open source works – and what businesses owe to it.

And Log4j wasn’t an isolated case. In the JavaScript/TypeScript world, nearly all software projects are tethered to thousands of npm dependencies – each one a potential security blind spot. Whether it’s a CMS, frontend framework, or DevOps toolchain, your entire stack is built on open source. And while that’s not inherently bad – quite the opposite – it does mean you have a responsibility.

So what does responsible behavior look like?

  • Security budgets should include the software your business is built on – not just firewalls and pentests.
  • Create visibility: Which open-source components are in use? Which are critical?
  • Provide financial support: Sponsorships, public funding, and paid work for maintainers aren’t charity – they’re digital risk management.
  • Build an open-source strategy: Companies need clear policies for selecting, maintaining, and contributing to open-source software.

In short: if you treat open source as free infrastructure, you’re exploiting your own foundation.

What Companies Can Do – Right Now

Using open source is easy. Contributing is harder. But it doesn’t take much to start making a difference – and reduce your exposure to fragile infrastructure.

Here’s how to begin:

1. Create Transparency

Take a hard look in the mirror: what open-source components does your company rely on? Which ones are critical? Tools like Software Bill of Materials (SBOMs) can help bring clarity.

2. Take Responsibility

If a project keeps your business running, you should give back. That doesn’t mean hiring a team. Sometimes it’s enough to report bugs, offer feedback, or lead by example.

3. Yes, Spend Money

Some projects cost less per month than a single hour of consulting – yet they support millions in business value. Sponsorship, donations, or funding specific improvements are investments, not handouts.

4. Make Open Source Part of the Strategy

Open source isn’t a tool you take off the shelf and put back. Long-term security and efficiency require internal processes, ownership, and shared knowledge.

Conclusion: Open Source Isn’t a Free Lunch

Open source isn’t magical free software from the internet. It’s infrastructure. It’s shared responsibility. And when properly maintained, it can be one of the most secure foundations a business can have.

Let’s be honest: without open source, modern software development wouldn’t be financially viable for most companies. The speed of innovation we all rely on is only possible because we’re standing on the shoulders of thousands of maintainers – most unpaid, often invisible.

That’s why open source needs more than passive consumption: Businesses must start thinking, contributing, and funding. If you think ignoring it will save you money, you’re cutting costs at the foundation – and you won’t like what happens when the roof caves in.

I publish almost all of my software under free licenses. Not because I’m some idealist, but because I believe robust, sustainable digital systems only happen when everyone helps out.

If you want to know where your business is exposed, what’s critical, and how to take responsible action – let’s talk. I’ll help you take a closer look.