Strengthening security around open source software has been a central part of the White House’s comprehensive cybersecurity efforts since President Biden issued his Executive Order to Improve the Security Posture of the United States in May 2021, just months after taking office.
Now the Biden administration and the Department of Homeland Security (DHS) are providing $11 million to launch a program to evaluate the use of open source software in critical infrastructure environments and identify ways to better protect that software.
At the Def-Con show in Las Vegas late last week, National Cyber Director Harry Coker Jr. announced plans to launch the government’s Open Source Software Prevalence Initiative, which will also involve the country’s National Laboratories.
“We know that open source is the foundation of our digital infrastructure, and it is critical that we as a government give back to the community as part of our broader infrastructure efforts,” Coker said at the conference.
He added that while the government is launching the initiative and providing financial support, it requires the involvement of cybersecurity experts.
“These policy proposals rely on researchers’ commitment and willingness to freely share their findings to make them work,” Coker said. “Even in our discussions about developing a software liability system, we increasingly aim to leverage this unique community as part of novel policy solutions.”
A key part of the Biden administration’s efforts to improve the country’s cybersecurity is shifting responsibility from users of technology to developers, such as through the “Secure By Design” software message. Coker reiterated this during his talk, urging the audience of cybersecurity experts to “shift more responsibility for cybersecurity to the more capable players in the ecosystem. That means technology producers, yes, and certainly the federal government. But it also means all of you. … I know that the same values that drive responsible vulnerability disclosure will drive you to continue to work to protect the internet.”
Collaboration is key
The government’s influence is limited, he said. The president cannot simply solve problems with an order. Coker noted that the government and the technology industry have known about the vulnerabilities in the Border Gateway Protocol for decades, yet much of U.S. internet traffic is vulnerable to hacking. The same goes for using memory-safe programming languages like Rust and Go to eliminate a large portion of the vulnerabilities in today’s software.
“Yet critical software that underpins our society is written in C simply because it is more convenient,” he said. “The ‘tragedy of the commons’ surrounding open source software development is a well-known phenomenon; yet important packages are maintained by tiny groups of volunteers on extremely tight budgets.”
Wait and see
Katie Teitler-Santullo, cybersecurity strategist at OX Security, said it is uncertain how effective a program like the Open Source Software Prevalence Initiative can be.
“On the one hand, initiatives like this one from the White House and DHS signal to the private sector that increased scrutiny is coming,” said Teitler-Santullo, whose company offers an application security management platform. “Given the increasing reliance on open source software – and the open source components in most software – companies need to better understand software at all stages of its lifecycle.”
However, there are no guarantees of feasibility or impact for such government programs. Many organizations struggle to monitor and sort through the “long tail of software,” and app security and development teams struggle to keep up with the rapid evolution of the open source ecosystem.
“There is no question that it is important for public and private organizations to understand and fix the vulnerabilities of open source as well as custom software built on open source components,” said Teitler-Santullo. “Understanding the code at multiple levels and across the entire software development lifecycle … is no longer a nice-to-have. One small vulnerability can cause major damage.”
Marching orders
Coker’s remarks at Def-Con came a day after the White House released a summary of responses to its request for information on what the administration’s long-term priorities should be regarding open source software security.
The creation of the Open Source Software Prevalence Initiative is one of the government’s responses to the statements made by those who responded to the information request.
The report called on the government to leverage federal agencies to accelerate open source security, including expanded development of software bills of materials and establishing a U.S. government open source program office. According to the summary, responses focused on a number of steps, including encouraging expanded use of software bills of materials (SBOMs), strengthening the software supply chain, and securing package repositories, which are a target for malicious actors seeking to spread their malicious code through organizations that inadvertently install and run seemingly legitimate software.
Memory-safe languages have priority
They also recommended that the government provide more incentives to use memory-safe languages.
“There was also agreement that implementing memory-safe programming would be much easier on new projects than on legacy projects,” the authors of the summary said. “For the latter, many respondents favored a phased and prioritized approach to optimize resources while focusing on the most important projects.”
An example of this is the recent launch of the TRACTOR (Translating All C to Rust) program by DARPA (Defense Advanced Research Project Agency) to automate many of the tasks required to rewrite C and C++ code in Rust.
Other recommendations included funding the development of tools and libraries to secure the open source software ecosystem, creating public-private partnerships within the community, helping to expand the pool of talented developers, expanding international collaboration, and exploring the use of artificial intelligence, large-scale language models, and machine learning techniques.
