Washington summit grapples with securing open source software

A who’s-who of technology industry representatives and national security agencies are convening this week in Washington to explore ways to improve the security of open source software — a bedrock of the software ecosystem that government officials and researchers are grappling with how to better secure.

Hosted by the Linux Foundation’s Open Source Security Foundation, the Secure Open Source Software Summit brings together a medley of federal agencies, non-profits and tech giants.

“This week’s convening is a check in with government and the private sector partners to ensure we are holding ourselves accountable toward the aggressive goals set last year and to continue to spark momentum,” Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, said in a statement to CyberScoop. “But we have more work to do – like tools to generate software bills of materials automatically and approaches to use AI for more secure open source software.”

Open source software is a core building block of virtually all computer systems, but its reliance on volunteers and the fact that anyone can contribute to its repositories can lead to major security concerns. Indeed, the initial drive for the January 2022 open source security summit was an easily exploitable vulnerability found in the Apache Log4J software, which continues to be exploited nearly three years after its discovery.

The attendees of this week’s summit include government representatives from the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, the Departments of Energy and Treasury, the National Science Foundation, the National Security Council, the Office of Management and Budget, the Advanced Research Projects Agency for Health and the Defense Advanced Research Projects Agency.

Industry representatives include Amazon, Apple, Google, Github, IBM, JFrog, Lockheed Martin and Microsoft, among many others.

Non-profits include the Alperovitch Institute for Cybersecurity Studies, FS-ISAC, ISC2 and the Fintech Open Source Foundation.

The Biden administration has embraced improving the security of open source software as a key priority. At the cybersecurity conference Black Hat in August, the administration released a request for information on how best to secure open source technology, whether that’s through promoting memory safe languages like Rust that can help protect a particular subset of vulnerabilities by default or more broadly, such as where should the federal government focus its resources.

On Tuesday, CISA published its open source software security roadmap. The agency outlined two major concerns: cascading risks of vulnerabilities in open source projects and the potential supply chain impacts of a compromised repository where a malicious update can lead to widespread backdoors or scripts.

“Open source software has fostered tremendous innovation and economic gain, including serving as the foundation for technologies used across our federal government and every critical sector,” Eric Goldstein, the executive assistant director for cybersecurity, said in a statement. “In part due to this prevalence, we know that vulnerable or malicious open source software can introduce systemic risks to our economy and essential functions.”

The roadmap calls for several overarching goals: establishing CISA’s role in supporting open source software, drive visibility over usage and risks, reducing risks for the federal government and hardening the open source software ecosystem.

While that roadmap is encouraging, it lack sufficient focus on funding the work to secure open source software, said Dan Lorenc, the CEO of Chainguard and a member of OpenSSF. “They talked about help, they talked about support, but the word ‘funding’ doesn’t show up in here once, so I’m not quite sure what that support means,” Lorenc said.

Delivering that funding is not an easy task, Lorenc acknowledged. Some developers or maintainers of open source projects work day jobs that prohibit payment on outside projects. And the open nature of open source programs — meaning anyone can clone or try to contribute — means that the broader open source community is far more diverse and fragmented than the interest groups and larger organizations that can more easily receive federal funding.

“It’s really hard for anybody, not just CISA and not just the U.S. government to engage in a constructive way with the broader open source community,” Lorenc said.

Asked about the lack of funding in the roadmap, a CISA spokesperson said that the agency “appreciates all feedback from the open source community.” The spokesperson said that the roadmap is a “starting point” and pointed the open source community to the request for information “to inform the government’s next steps.”

One key topic of conversation at this year’s summit will be how artificial intelligence fits into securing open source software, said Omkhar Arasaratnam, OpenSSF’s general manager.

“OpenSSF believes AI can be used to address entire classes of open source security problems. We expect to see significant progress in this area from programs like the AI Cyber Challenge by DARPA,” Arasaratnam said.

Arasaratnam said the summit will be focused on four areas of work related to AI security: supply chain security in open source packages, such as the PyTorch deep learning framework; the security of open sourced AI packages like Falcon LLM; augmenting cybersecurity with AI and applied security of open source inputs and outputs in AI.

Going forward, OpenSSF aims to expand education for open source developers through security guides and classes, improve security evaluations, strengthen open source tools and increase funding for vulnerability discovery tools.

Moran Ashkenazi, a summit attendee and the chief security officer and vice president of engineering at JFrog, said that firms in attendance were encouraged to “contribute, not just consume.” While open source projects are the bedrock of the digital economy, many large companies use the free software while doing little to give back. Encouraging companies to contribute to open source repositories could improve the quality of the code for everyone.

Correction, Sept. 15, 2023: An earlier version of this article included an incorrect title for Moran Ashkenazi, who is the chief security officer and vice president of engineering at JFrog.