Cybersecurity continues to be a hot topic. More and more organizations are getting hit by ransomware attacks, critical open software vulnerabilities are making news, and we’re seeing industries and governments coming together to discuss initiatives to improve software security.
The U.S. government has been working with the tech industry and open source organizations such as the Linux Foundation and the Open Source Security Foundation to come up with a number of initiatives in the past couple of years.
The White House Executive Order on Improving the Nation’s Cybersecurity without a doubt kick-started subsequent initiatives and defined requirements for government agencies to take action on software security and, in particular, open source security. An important White House meeting with tech industry leaders produced active working groups, and only a few weeks later, they issued the Open Source Software Security Mobilization Plan. This plan included 10 streams of work and budget designed to address high-priority security areas in open source software, from training and digital signatures, to code reviews for top open source projects and the issuance of a software bill of materials (SBOM).
The Act directly addresses the top three areas of focus to improve open source security: vulnerability detection and disclosure, SBOMs and OSPOs.
One recent government initiative regarding open source security is the Securing Open Source Software Act, a bipartisan legislation by U.S. Senators Gary Peters, a Democrat from Michigan, and Rob Portman, a Republican from Ohio. Senators Peters and Portman are chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, respectively. They were at the Log4j Senate hearings, and subsequently introduced this legislation to improve open source security and best practices in the government by establishing the duties of the director of the Cybersecurity and Infrastructure Security Agency (CISA).
This is a turning point in U.S. legislation, because, for the first time, it is specific to open source software security. The legislation acknowledges the importance of open source software and recognizes that “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States.” Finally, it states that the Federal Government should play a supporting role in ensuring the long-term security of open source software.