The White House said it is making progress on its work to better secure open source software, releasing a year-end report detailing efforts toward a transparent and collaborative software development process that highlights nearly all types of software.
The Log4Shell vulnerability discovered in 2021 exposed both the ubiquity of open source code and the potential danger if not properly secured. While open source software is not inherently more vulnerable than proprietary code, the distributed nature of the development and use of such software can have a wide impact if it is vulnerable.
“Nearly every software application, website, mobile and Internet of Things device — including those used by small businesses, the federal government and the national security community — includes open source software to enable and scale rapid application development processes,” the administration noted in a report Tuesday .
These unique characteristics lead the administration to advocate for open source software security in the national cybersecurity strategy and subsequent implementation plan through the Open Source Software Security Initiative (OS3I), an interagency task force.
The year-end report covers four areas the administration focused on last year through OS3I: unifying the federal government’s voice on open source software security, establishing a strategic approach to securing such software, encouraging long-term investment, and engaging and building trust with the open source community.
According to the report, one of the main obstacles is promoting best practices for secure development in open source projects, as the entire process is often decentralized and voluntary. The Log4Shell incident report by the Cybersecurity Review Board states that open source projects “generally lack dedicated coordinated vulnerability detection and response teams that investigate the root causes of reported vulnerabilities and work to resolve them.”
Another concern is that due to the ubiquitous nature of open source code, many companies don’t even know what they have when there is a major vulnerability or when they suffer from a zero-day exploit, the report said. Even now, years later, versions of the Apache Log4j vulnerability are still being found. In addition, companies often profit from working on these voluntary projects without contributing back through funds or other sources, leaving key projects under-resourced.
“Efforts to secure open source software are challenged by a number of factors, including decisions within companies to reserve security-related features for commercial products built on open source software, inconsistent contributions to help sustain open source software projects from corporate users, and decentralized ownership and different development processes of open source projects, with contributions coming from entities with different resources, capabilities and priorities,” the report said.
Last year, the National Science Foundation wrote a “letter to a dear colleague” encouraging proposals to secure an open source software ecosystem. In September, the Cybersecurity and Infrastructure Security Agency released its own roadmap for securing open source in the federal government and the broader ecosystem. CISA has relied heavily on promoting both memory-safe languages to drastically reduce the number of vulnerabilities and software bill of materials.
The Administration also published a Request for Information on Open Source Software Security, seeking expert opinions on the security of open source software
The White House report notes that OS3I will continue into 2024 by “counting research and information submitted through RFIs to inform future OS3I work streams and priority actions.”
Additionally, the administration will “continue to invest in secure software development, including memory-safe languages and software development techniques, frameworks, and testing tools.”
OS3I will also continue to reach out to the community to “identify and highlight policy solutions that improve the security of the open source software ecosystem.”