Cybersecurity continues to be a hot topic. More and more organizations are getting hit by ransomware attacks, critical open software vulnerabilities are making news, and we’re seeing industries and governments coming together to discuss initiatives to improve software security.
The U.S. government has been working with the tech industry and open source organizations such as the Linux Foundation and the Open Source Security Foundation to come up with a number of initiatives in the past couple of years.
The White House Executive Order on Improving the Nation’s Cybersecurity without a doubt kick-started subsequent initiatives and defined requirements for government agencies to take action on software security and, in particular, open source security. An important White House meeting with tech industry leaders produced active working groups, and only a few weeks later, they issued the Open Source Software Security Mobilization Plan. This plan included 10 streams of work and budget designed to address high-priority security areas in open source software, from training and digital signatures, to code reviews for top open source projects and the issuance of a software bill of materials (SBOM).
The Act directly addresses the top three areas of focus to improve open source security: vulnerability detection and disclosure, SBOMs and OSPOs.
One recent government initiative regarding open source security is the Securing Open Source Software Act, a bipartisan legislation by U.S. Senators Gary Peters, a Democrat from Michigan, and Rob Portman, a Republican from Ohio. Senators Peters and Portman are chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, respectively. They were at the Log4j Senate hearings, and subsequently introduced this legislation to improve open source security and best practices in the government by establishing the duties of the director of the Cybersecurity and Infrastructure Security Agency (CISA).
This is a turning point in U.S. legislation, because, for the first time, it is specific to open source software security. The legislation acknowledges the importance of open source software and recognizes that “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States.” Finally, it states that the Federal Government should play a supporting role in ensuring the long-term security of open source software.
The Securing Open Source Software Act defines tasks for the director of CISA and promotes outreach and engagement with the open source community to improve long-term security of open source software. It dictates collaboration with federal, state and local government entities, as well as the private sector and open source organizations, for tasks such as vulnerability disclosures.
The act focuses on the assessment of critical open source software components and, for that, requires the enactment of a framework for assessing the risk of open source software components. The framework will provide guidance on:
- Identifying open source components.
- Securing software development life cycle processes.
- Creating SBOMs that provide an inventory of components, versions and vulnerabilities.
Also, the framework will require information about open source components’ communities and risk of exploitation.
This framework-based assessment will be implemented at the federal level, and SBOMs will be required to show prioritized levels of risks. It is to be implemented to ensure critical infrastructure, starting with a pilot, the results of which will be presented by the director of the CISA to congressional committees and then to the public.
The final section of the act defines guidance for chief information officers (CIOs) across government agencies, which it says must be based on open source best practices to “manage and reduce risk of using open source software; and guidance contributing to and releasing open source software.” These best practices relate to a growing global trend at organizations, which are increasingly establishing open source program offices (OSPO) to drive the practical and strategic use of open source code.
Similar to security offices headed by a CISO, OSPOs are being adopted more and more by organizations consuming and contributing to open source software. Starting with a pilot program modeled after OSPOs in the private sector, the aim is to develop policies and processes for government contributions to, and releases of, open source software. The OSPO will interface with open source communities and define processes to bolster the security posture of open source software as a whole.
The act directly addresses the top three areas of focus to improve open source security: vulnerability detection and disclosure, SBOMs, and OSPOs. It’s very promising to see these initiatives at the government level. Although the act does not include a mandate for the private sector, organizations across all industries should pay attention to open source security via tooling and best practices, including SBOMs and OSPOs.
Although the proposed legislation will have to pass a vote in the Senate and the House of Representatives, and receive the president’s signature, these are solid steps to improve open source security and our overall cybersecurity.