The most important piece to the open source security puzzle the industry needs to focus on right now is community, according to Cisco's Head of Open Source Stephen Augustus.

"If we think about components like social engineering, just for example, you can see that so much of this depends on how we bring forth different streams of communication," Augustus told SDxCentral in an interview.

Conversations around security within the community are already happening in well-maintained project communities. "If we widen the circle, people who were not aware of these conversations are now aware of the conversations, for better and for worse," he said.

Examples of the worse end of that spectrum are protestware — when maintainers actively sabotage their own projects — and the recent developer attack on open source libraries colors.js and faker.js. "This is effectively an emergence of a new type of vulnerability ... how do you guard against that?" Augustus said.

As a consumer of open source software himself, the answer to that question comes back to getting involved in the conversation. And as in the case of the colors.js and faker.js attack, education around how to prevent similar vulnerabilities in the future exists as a result of incidents like those.

"So the biggest thing I would say is find out ways to become part of the conversation," Augustus said. He urged companies to look at the software their supply chain depends on and make sure they know how to catalogue what they're using. And beyond that, he urged companies to contribute to the open source software they use to ensure its long-term sustainability.

The intersection of software and security "is an onion," he said. To that point, Augustus doesn't believe open source security can ever be fully trusted in terms of security. "The final answer that I like to give for any sufficiently complex problem is: it depends."