Additional focus on cybersecurity at the highest level of any organization is, of course, always a good thing but too often the senior leadership of an organization tends to focus more on optics than substance. The recent meeting on the state of open source software security convened by the White House, from the perspective of many IT and security professionals, is likely to have an all too familiar feel.
The White House published a statement that among other things notes the participants in this meeting had a “substantive and constructive” discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community.
Meeting participants included Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, Office of Science and Technology Policy, the Department of Defense, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, and the National Science Foundation. Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, and VMWare all sent representatives.
The White House reports the discussion focused on preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.
As it pertains to the first topic, the White House disclosed participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse, and distribute code, such as using techniques such as code signing and stronger digital identities.
In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them.
In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use.
In summary, the Federal government is encouraging agencies and any organization they interact with to build software to embrace best DevSecOps practices to enable developers to create more secure applications. That’s hardly a new idea. Many developers and cybersecurity professionals are already moving in that direction. The White House report didn’t address any of the real DevSecOps challenges being encountered.
Developers today routinely reuse open source software such as the Log4j logging tool that was recently discovered to have a number of zero-day vulnerabilities. The issue is that many of those projects are maintained by a small number of programmers that contribute their time and effort to build components that others are free to use. The amount of security expertise those individuals have like any other developer is limited. The proverbial gorilla in the room that is not being addressed is the fact that so many IT vendors and large enterprise IT organizations reuse that code without contributing anything meaningful back to the project either in terms of financing or just helping open source maintainers find and remediate vulnerabilities. One open source community has now even gone so far as to protest this state of affairs by deliberately sabotaging its codebase. It’s not clear if others will follow suit but there is widespread resentment in the open source community when it comes to cybersecurity. At the core of that issue is contributors to these projects freely donate their time and expertise to build these components. The onus for making sure they are secure is on the organizations that decide to deploy that software.
The White House is clearly trying to pressure IT vendors and larger enterprises to contribute more to the effort to secure open source software. The U.S. government also appears to be poised to increase the amount of funding it makes available to help achieve that goal.
In the meantime, cybersecurity teams when reviewing software supply chains will need to assess whether the open source software being employed is from a security perspective truly sustainable. The smaller the number of contributors to an open source project the more likely it becomes there will be security issues.
Hopefully, this is the beginning of a major improvement to the security of open source software. However, it’s also worth remembering that talk is also cheap.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.