Project health matters more now than ever
When open source now makes up some 90% of the software supply chain, we need better ways to manage our relationship with it. The open source development landscape is shifting fast. Increased adoption, new legislation, and more and more security threats are changing the game. And with these shifts comes a need for changes in open source strategy as well, specifically a focus on project health.
Think of your open source strategy as columns holding up a massive structure. Most companies focus on two of these pillars: security and compliance. But project health is the third essential pillar. It adds the stability and project resilience to withstand increasing pressures.
Project health is Bitergia’s area of expertise, and we have been proponents of it for years. But right now we’re seeing that it matters more than ever. This blog post breaks down what project health is, and lays out how measuring your project health helps to 1) comply with new legislation, 2) invest your time and resources wisely, and 3) dodge costly problems.
What is Project Health?
Project health is the overall well-being and resilience of a software development project from a social point of view. By social, we’re referring to the contributor community and their development activity. A healthy project– one that has a thriving community and efficient activity– is resistant to attacks and resilient over the long term.
We are experts at measuring project health and evaluating the sustainability and maintainability of projects and dependencies. Depending on a customer’s concerns, some metrics are more relevant than others, but there are three categories of metrics.
Types of Project Health Metrics:
- Community sustainability indicators, such as the growth of newcomers,
- process-oriented metrics and good practices, which includes average lead time and review efficiency,
- Maintenance metrics, such as the backlog management index (BMI).
Knowing how healthy (or not!) your projects and dependencies are helps you to make critical decisions about where to invest your attention and resources. It also helps you get ahead of costly problems before they arise.
Think of it like this: you wouldn’t buy a car just because it has a shiny paint job. Rather, you’d pop the hood, check the engine, and make sure it’s built to last. If a car’s essential parts are unhealthy or if there are no shops where you can maintain it, you would look for another car. It should be the same with software development projects.
To carry the metaphor forward, vulnerability scans (one of the pillars of open source strategy) are like the car dashboard warning lights. They alert you to issues that already exist. This is important, but it’s certainly not everything. When you prioritize project health, however, it’s like doing upkeep on the car over time. It helps you to prevent problems before they arise. And it helps you know when it’s time to trade in an old, under-maintained wreck for something new.
Here's what a project health check reveals:
- Sustainability: Is the project actively maintained with a dedicated community? (We would argue that the community is the engine of any project!) Does it attract new contributors who will carry it forward?
- Maintainability: How efficient and effective is the open source community in addressing its issues and change requests? How responsive is the project community?
- Resilience: Is the software healthy enough to be able to withstand challenges and changes in the development landscape? Is it viable for the long-term?
Too often we see companies are not making open source decisions based on data. They’re walking with their eyes closed and hoping it’s in the right direction. That’s why we love data. Data and insights about the sustainability, maintainability, and overall resilience of projects allows you to make wise decisions with your eyes open.
Threats to open source are exploding
With software security threats rising, it’s essential to keep your eyes open.
Gartner reported in 2023 that 45% of organizations had experienced a software supply chain attack over a two-year period. Another report, this one by Sonatype, found “a massive year-over-year increase in cyberattacks aimed at open source project ecosystems.” By massive, they were referring to a “700% jump in repository attacks over the last three years.”
These attacks can be devastating. The SolarWinds breach, for example, cost businesses a stunning average amount of 11% of their annual revenue. And then there’s the disruption to products and processes as teams scramble to fix the problem.
These attacks increased even as investments in third-party cybersecurity risk management (TPCRM) increased. That’s why incorporating project health as a core pillar of your open source strategy is important. It creates software resilience by adding the third pillar of security and basic preparedness. If a dependency is not maintained, for example, or maintained by only a couple people, it is left more open to attacks. Assessing the health of your dependencies is the only way to get ahead of risks. With data, you can know whether to keep or scrap a troublesome dependency.
Software is becoming a regulated industry
Project health is the underdog for complying with new regulation, but it brings major benefits.
The European Cyber Resilience Act (CRA) is ushering major changes to how companies use open source. The days of “ship it and forget it” are over. Now, companies need to ensure a solid foundation built on healthy, sustainable open source components. This entails:
- Generating SBOMs (Software Bill of Materials)
- Securing software resilience over the long term
Companies are feeling these new pressures. They’re seeking out solutions to understand software that has been patched together over years. License scanning and software composition analysis are used to manage compliance risk and security risk. (This addresses the first two of the three pillars of open source maturity.)
These common compliance approaches and project health go hand in hand. They can even be implemented at the same time for a more holistic view of dependencies and their sustainability. At Bitergia, for example, we can help select tools to generate SBOMs, and then use those SBOMs as the input for evaluating dependency health. The dashboards make the resulting data easy to understand, highlighting metrics for sustainability, maintainability, and security.
Conclusion: Trust your dependencies
Can you trust your dependencies? The short answer is: no, not without insights about project health. Trust comes from a complete understanding, from approaching your software resilience with your eyes open.
There are many benefits to prioritizing project health:
- Proactively identifying risks: Spot potential problems before they impact your project.
- Making informed decisions: Choose open source components that are not only secure and compliant but also healthy and sustainable.
- Reducing risk: Avoid the hidden costs associated with unhealthy projects.
- Building more resilient software: Rely on projects that can withstand the test of time.
Above all, though, project health as the third pillar of open source strategy allows you to trust your dependencies. Until you understand the health of projects from this social aspect, you can’t know that your dependencies are sustainable and maintainable. And you can’t know that you have software resilience in a quickly changing landscape.
This blog post was written by Julia Lawson with help from Georg Link and Daniel Izquierdo.
