A Swiss security engineer develops high-security systems for free after work. A handful of people run a free certificate authority. How can that be?

For the fact that Gary Gregory has had to work through the past few days, even though he is actually on holiday, he is in a surprisingly good mood. The developer is one of the main people responsible for Log4j, the software component in which a serious security vulnerability was recently found. When the warning message reached him, it was immediately clear to him that he and his handful of colleagues were in for some sleepless nights.

True, Gary Gregory lives in Florida and has maintained the Log4j component for “only” nine years. Apart from these details, the picture fits the current situation perfectly. Because the free piece of software, developed and maintained by volunteers, is in applications from the iCloud to the Tesla.

Open Source is used in all kinds of areas: Programming languages such as Java and Python, web server and database programmes, desktop applications such as Firefox and Libre Office are just a few examples. So, such software is in computer systems at all levels.

Open source is software whose source code is publicly accessible. With a licence, the authors grant users the right to use the software and the source code for any purpose; they may also distribute it or adapt it for their own use. Because the entire code is transparent, users can find and solve problems themselves. Ideally, there is an exchange that makes the software as a whole better and better, similar to how it works with the online encyclopaedia Wikipedia.

Gary Gregory works an average of about ten hours a week on open source projects. He says, “With a full-time job and three kids, it’s not easy.” He is passionate about it and enjoys it. Compared to his job, he can be more creative. Instead of the ideas of business clients, his own ideas take centre stage, which he likes.

Gregory is lucky. Because his employer supports his commitment and allows him to occasionally work on his open source project during working hours. “My company realises that it benefits from open source and it’s only fair to give something back once in a while.”

This is rather the exception. In the survey of Swiss users cited earlier, less than a quarter of organisations say that employees are allowed to contribute to open source developments during working hours. Donations to volunteers or to organisations behind the code are also quite rare.
Some user companies contribute to open source software (OSS), the picture above shows the different modes of support.

Security engineer Christian Folini knows the situation first-hand. He is one of two leaders of the “Modsecurity Core Rule Set” of the open source foundation Owasp, which specialises in security. The “Modsecurity Core Rule Set” is a set of hard-to-read rules designed to detect and defend against malicious attacks. Such a rule set is part of the infrastructure of security-sensitive applications, such as online banking or the cloud.

Microsoft, Google, AWS, Yahoo, Cloudfare: all integrate and distribute Folini’s rule set. Of those mentioned, only Google supports the project with donations. Folini has been able to recruit smaller companies as sponsors. With the money, the group finances, for example, that a person is available around the clock to answer questions. If there were more money, the quality of the software, i.e. the safety of the users, could be further increased. But this awareness is usually lacking.

If you can help with CAcert as a volunteer or supporter, please contact the secretary at secretary (at no spam) cacert (dot) org