Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

US Aims to Further Secure Open Source Software

There was a time, twenty years or so ago, when large software firms, particularly in the US Pacific North-West, were highly dismissive of open source software. However, in today's world, its importance cannot be over-stated - the vast majority of software stacks are either completely or partially based on open source. In fact, by some estimates, open source underpins 96% of the world's software and is a major public good, not to mention a major foundry for innovation.

However, open source is not without its risks - who can forget the Heartbleed vulnerability in OpenSSL, or the log4j vulnerability of late 2021? Both of these highlight the exent to which commercial vendors are highly reliant on open source projects, yet contribute little or nothing to the costs of development and maintenance. OpenSSL was deployed by virtually every commercial UNIX vendor, yet they contributed nothing to its maintenance - a situation which, fortunately, changed dramatically following the adverse publicity generated, while the log4j vulnerability was first reported by a software engineer at Alibaba - a corporation with market capitalization of $US348 billion at the time - which had contributed nothing to the Apache Foundation's maintenance costs.

As a result, there are increasing concerns that the current open source development model may not be sustainable, with a number of codebases relying on open source projects that had no development activity and no user updates in the preceding two years - suggesting that these projects are no longer being maintained at all.

Earlier this year, the National Security Advisor to the White House, Jake Sullivan, hosted a one-day meeting of major software industry companies to discuss initiatives to improve open source security, and now the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, the National Science Foundation, the DoD's Advanced Research Projects Agency and the Office of Management and Budget have announced a Request for Information, seeking industry input on where the US government should prioritize efforts to secure open source software. This initiative will integrate the National Cybersecurity Strategy's focus on open source with CISA's Secure by Design efforts.

Over the last year, the interagency Open Source Software Security Initiative (OS3I) working group has identified several focus areas, such as reducing the proliferation of memory unsafe programming languages (which we have seen bear fruit with the incorporation of support for Rust in the Linux kernel and elsewhere); designing implementation requirements for secure and privacy-preserving security attestations; and identifying new focus areas for prioritization. The RFI is intended to further that last area by identifying areas most appropriate to focus government priorities, and addressing critical questions such as:

• How should the Federal Government contribute to driving down the most important systemic risks in open-source software?
• How can the Federal Government help foster the long-term sustainability of open-source software communities?
• How should open-source software security solutions be implemented from a technical and resourcing perspective?

The RFI process will engage with interested parties in three phases:

• Phase I - Addressing Respondent Questions About this RFI (which can be sent to OS3IRFI@ncd.eop.gov by 18 August 2023)
• Phase II - Submission of Responses to the RFI by Interested Parties, which will conclude on 10 October 2023
• Phase III  - Government Review

The RFI provides additional guidance for potential respondents, including questions which they should address and a list of potential areas and sub-areas of focus.

In the CISA news release, the authors make the point that "The federal government is one of the largest users of open source software in the world, and we must do our part to help secure it. This requires widescale efforts to help uplift the level of security in the open source ecosystem." They then go on to compare this effor to President Eisenhower's Federal Aid Highway Act of 1956, which authorized $US25 billion of funding to build 41,000 miles of highways over the next decade; the result, according to one report, was that "every $1 spent returned more than $6 in economic productivity".

The scale of this effort may be smaller, but considering the contribution of open source software projects to the global economy and the current level of losses due to cyber-attacks, the return on investment may be even higher. And the authors do not expect the government to carry the economic can, pointedly remarking that, "We envision an ecosystem in which creating secure open source code and regularly assessing the security of existing open source code is the norm rather than an added burden. As part of this, software manufacturers that consume open source software should contribute back to the security of the open source software they depend upon".

Goldstein, Eric and Camille Stewart Gloster, We Want Your Input to Help Secure Open Source Software, news release, 10 August 2023. Available online at https://www.cisa.gov/news-events/news/we-want-your-input-help-secure-open-source-software.

Office of the National Cyber Director, Open-Source Software Security: Areas of Long-Term Focus and Prioritization, Request for Information (RFI), 10 August 2023. Available online at https://www.regulations.gov/document/ONCD-2023-0002-0001.

Synopsis Inc., 2023 Open Source Security and Risk Analysis Report, technical report, 16 February 2023. Available online at https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.