Open source is everywhere; a Synopsys study found that 96% of all software code bases analyzed included open source software. That’s the good news. Ironically, it’s also the bad news, as the very pervasiveness of open source introduces risk. Decades ago, proprietary players used to spew disingenuous fear, uncertainty, and doubt around open source security, but they may finally have a point. Not at the individual project level where critics once wrongly focused their case, but rather in supply chains, as massive vulnerabilities like SolarWinds and Log4j remind us that we still have essential open source security work to do.