On 13 January the White House organised a meeting on improving security of open source software with actors representing governmental agencies, private sector and open source foundations.
Acknowledging that open source is in almost all software solutions used nowadays and that it brings a unique value, the US government discussed the challenges and potential related to open source with major stakeholders in the field. The meetings are said to be continued in the future to respond to the widespread usage of open source and the need for ensuring its security.
The meeting took the form of a group discussion and breakout sessions, during which emphasis was put on finding ways to collaborate to address the challenges at hand through sustainable mechanisms to provide support, education and tools to open source projects that are critical to digital infrastructures and new ways of collaboration between the public and private sector.
The first topic on the agenda focused on prevention of security defects and ways to enable developers to write more secure code. This can include including security features into development tools, as well as ensuring that the infrastructure used for engaging with code is secure itself.
Improving the mechanisms for detecting and fixing vulnerabilities was the next point of the agenda, focusing on how to identify critical open source projects and better ways to maintain them. This is being done, for instance, by foundations like Open Source Security Foundation, but also by public sector institutions on different levels. It is worth noting that the European Commission together with the European Parliament has launched the FOSSEPS project in February 2022 that will create an inventory of Critical Open Source Software which will contribute to security and technological independence in the EU.
The last topic discussed was the way to provide a more rapid response to defects and vulnerabilities in code, as well as speeding up fix distribution and implementation in the future. Here, the ways to accelerate the use of Software Bill of Material (SBOM) were discussed, as required by the US President’s Executive Order from May 2021. SBOM is a formal record detailing all information and supply chain relationships of components used in a given software, listing all the building blocks in a system. It was one of the means listed in the Executive Order aimed to improve cybersecurity of software used in the United States which introduced obligations for all Federal Information Systems to increase the security throughout the software supply chain.
The meeting is said to be prompted in the light of the log4j vulnerability that has touched several public sector institutions, companies and private users in December 2021. Log4j is open source software widely used to record computer system activities such as errors and routine system operations. It has been compromised in a way that allowed to capture diverse types of private data, such as the username and the real name of a person who attempted to log in to an online service. This vulnerability started a global discourse on security of open source and the need for its improvement and has been largely addressed throughout the ecosystem.
Several organisations that participated in the meeting applaud the initiative and point to additional topics in their blog posts and comments after the meeting. Those include: establishing security, maintenance and testing baselines; increasing public and private support and collaboration for identifying and responding to vulnerabilities; encouraging adoption of open security standards and identifying critical assets.
The full list of attendees is available in the White House press release.