Cybersecurity remains a hot topic. More and more organizations are affected by ransomware attacks, critical vulnerabilities in open source software are in the news, and we see industries and governments coming together to discuss initiatives to improve software security.
The US government has been working with the tech industry and open source organizations like the Linux Foundation and the Open Source Security Foundation to introduce a number of initiatives in recent years.
that White House Executive Order on Improving the Nation's Cybersecurity it certainly launched subsequent initiatives and defined requirements for government agencies to take action on software security, and open source security in particular. an important Meeting at the White House with leaders of the technology industry they produced active working groups, and just a few weeks later, they issued the Open Source Software Security Mobilization Plan. This plan included 10 budget and workflows designed to address high-priority security areas in open source software, from training and digital signatures to code reviews for major open source projects and the issuance of a BOM. software (SBOM).
The Act directly addresses the three main focus areas for improving open source security: vulnerability detection and disclosure, SBOM, and OSPO.
A recent government initiative regarding open source security is the Open Source Software Security Act, bipartisan legislation by US Senators Gary Peters, D-Michigan, and Rob Portman, R-Ohio. Senators Peters and Senator Portman are chairs and ranking members of the Senate Committee on Homeland Security and Government Affairs, respectively. They were in the Log4j Senate Hearings and this legislation was later introduced to improve open source security and best practice in government by establishing the duties of the director of the Cybersecurity and Infrastructure Security Agency (CISA).
This is a turning point in US law because, for the first time, it is specific to the security of open source software. The legislation recognizes the importance of open source software and recognizes that "a safe, healthy, vibrant, and resilient open source software ecosystem is critical to ensuring the national security and economic vitality of the United States." Finally, it states that the Federal Government should play a supporting role in ensuring the long-term security of open source software.
The Open Source Software Security Act defines the tasks of the CISA director and promotes outreach and engagement with the open source community to improve the long-term security of open source software. It requires collaboration with federal, state, and local government entities, as well as the private sector and open source organizations, for tasks such as vulnerability disclosure.
The law focuses on the evaluation of critical components of open source software and, for that, requires the promulgation of a framework to assess the risk of software components. The framework will provide guidance on:
- Identification of open source components.
- Ensure software development life cycle processes.
- Creation of SBOMs that provide an inventory of components, versions and vulnerabilities.
In addition, the framework will require information on communities of open source components and the risk of exploitation.
This framework-based assessment will be implemented at the federal level and SBOMs will be required to show prioritized risk levels. It will be implemented to secure critical infrastructure, beginning with a pilot, the results of which will be presented by the CISA director to congressional committees and then to the public.
The final section of the law defines guidance for chief information officers (CIOs) in government agencies, which says they must be based on open source best practices to “manage and reduce the risk of using open source software; and guidance for contributing to and releasing open source software.” These best practices relate to a growing global trend of organizations establishing more and more Open Source Program Offices (OSPOs) to drive practical and strategic use of open source code.
Like CISO-led security offices, OSPOs are increasingly being adopted by organizations that consume and contribute to open source software. Starting with a pilot program modeled after OSPO in the private sector, the goal is to develop policies and processes for government contributions and open source software releases. OSPO will engage with open source communities and define processes to strengthen the security posture of open source software as a whole.
The law directly addresses the three main focus areas for improving open source security: vulnerability detection and disclosure, SBOM, and OSPO. It is very promising to see these initiatives at the government level. Although the law does not include a mandate for the private sector, organizations in all industries should pay attention to open source security through tools and best practices, including SBOM and OSPO.
While the proposed legislation will need to pass the Senate and the House of Representatives, and receive the president's signature, these are solid steps to improve open source security and our overall cybersecurity.
