White House Meeting Puts Spotlight on OSS Sustainability

A recent meeting between IT industry leaders and White House officials highlighted open source software sustainability concerns as high-profile breaches and zero-day attacks led many organizations to review their software supply chains.

The White House released a statement describing, among other things, how participants had a “substantive and constructive” discussion on how to make a difference in the security of open source software while continuing to actively engage and support the open source community.

Participants in the meeting included Deputy National Security Adviser for Electronic and Emerging Technologies Ann Neuberger, National Cyber ​​Director Chris Inglis, and officials from the Office of the National Cyber ​​Director, Office of Science and Technology Policy, Department of Defense, Department of Commerce, Department of Energy, Department of Homeland Security and Agency for Cyber ​​Security and Security. Infrastructure (CISA), the National Institute of Standards and Technology, and the National Science Foundation. Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Foundation, Open Source Security Foundation, Microsoft, Oracle, Red Hat and VMware have sent representatives.

The White House reported that the discussion focused on preventing security flaws and vulnerabilities in code and open source packages, improving the flaw detection and repair process, and shortening the response time for distributing and implementing fixes.

There were some specific recommendations, but it’s clear that the White House is putting more pressure on after the disclosure of a zero-day vulnerability in Log4j in Java applications wreaked havoc in enterprise IT environments and government agencies. This vulnerability illustrated the extent to which organizations depended on open source software projects and drew attention to the fact that many of them are created and maintained by a handful of volunteer moderators and contributors. The individuals who created these projects do not always have a lot of experience in the field of cybersecurity. In fact, many of them would argue that the responsibility for securing open source software lies with organizations that use what amounts to free software. It is not the responsibility of contributors and maintainers of open source software to drop everything and create an on-demand patch to address the zero-day vulnerability.

However, the federal government has made it clear through an executive order that it expects IT vendors and large companies that rely on open source software to do more to secure it. In the meantime, IT teams will need to assess their reliance on open source software; Especially if this program is not sustainable, from a security perspective, simply because there are not enough contributors with the necessary expertise.

Of course, this is a complex issue. In many cases, organizations rely on open source components without even realizing it. These components are included in an application by an independent software vendor (ISV) that typically does not disclose how that application was built. When a zero-day vulnerability is exposed, cybersecurity teams can spend weeks researching all the ways in which instances of a self-created or licensed application are affected.

“There is no way of knowing the truth,” said Mitch Ashley, director of Techstrong Research, an arm of Techstrong Group, the parent company that publishes DevOps.com. “The loophole could be anywhere.”

It is not entirely clear how significant the issue of open source security sustainability is yet. Relative to the amount of open source software currently in use, the number of security issues encountered is relatively small, Ashley noted.

“The innovation benefits of open source software far outweigh the risks,” he said.

It may be some time before the open source community addresses the growing concerns about the software supply chain. However, it is clear that many members of the IT community are about to be held accountable for this.

Leave a Comment