White House releases report on securing open-source software

The White House said it is making progress on its work to better secure open-source software, releasing an end-of-year report that details efforts on a transparent and collaborative software development process that underlines nearly every type of software.

The Log4Shell vulnerability discovered in 2021 laid bare both the ubiquity of open-source code and the potential danger if not properly secured. While open-source software is not inherently more vulnerable than proprietary code, the distributed nature of the development and use of such software can have widespread impact if vulnerable.

“Almost every software application, website, mobile device, and Internet of Things device — including those used by small businesses, the Federal Government, and the national security community — incorporates open-source software to enable and scale rapid application development processes,” the administration noted in the Tuesday report.

These unique characteristics lead the administration to champion the securing of open-source software in the national cybersecurity strategy and subsequent implementation plan through the Open-Source Software Security Initiative (OS3I), an inter-agency working group.

The end-of-year report goes over the four areas the administration focused on last year through the OS3I: unifying the federal government’s voice on open-source software security, establishing a strategic approach to secure such software, encouraging long-term investment, and engaging and building trust with the open-source community.

According to the report, one major roadblock is promoting best practices for secure development in open-source projects, since the entire process is often decentralized and voluntary. A report of the Log4Shell incident by the Cyber Safety Review Board noted that open-source projects “generally do not have dedicated coordinated vulnerability disclosure and response teams that investigate root causes of reported vulnerabilities and work to bring them to resolution.”

Another concern is that due to the ubiquitous nature of open-source code, many companies don’t even know what they have when there is a major vulnerability or when they suffer a zero-day exploitation, the report notes. Even now, versions of the vulnerable Apache Log4j software are still being found, years later. Additionally, companies often profit from the work of these voluntary projects without contributing back either through funds of other resources, leaving key projects under-resourced.

“Efforts to secure open-source software are challenged by a range of factors, including decisions within companies to reserve security-related features for commercial products built upon open-source software, inconsistent contributions to help sustain open-source software projects from corporate consumers, and the decentralized ownership and varied development processes of open-source projects, with contributions coming from entities with varying resources, capabilities, and priorities,” the report states.

Last year, the National Science Foundation penned a “dear colleague letter” encouraging proposals to secure the open-source software ecosystem. The Cybersecurity and Infrastructure Security Agency in September published its own roadmap to secure open-source in the federal government and broader ecosystem. CISA has leaned heavily on promoting both memory-safe languages to drastically reduce the number of vulnerabilities and software bill of materials.

The administration also released a request for information on open-source software security, asking for expert opinions on securing open-source software

The White House report notes that the OS3I will continue in 2024 by “taking stock of the research and information submitted through the RFI to inform future OS3I workstreams and priority actions.”

Additionally, the administration will “continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”

The OS3I will also continue to reach out to the community to “identify and highlight policy solutions that improve the security of the open-source software ecosystem.”