Bipartisan Open Source Software Security Bill Proposed in Response to Log4j Issues


The fallout from the Log4j vulnerability prompted Congress to take bipartisan action to strengthen the security of open-source software. The Securing Open Source Software Act would task the Cybersecurity and Infrastructure Security Agency (CISA) with developing a risk framework to assess open source code used by the federal government, and could be passed on to critical infrastructure companies.

Open source software security unites lawmakers

The bid to improve the security of open source software is co-sponsored by Republican Rob Portman of Ohio and Democrat Gary Peters of Michigan, who called open source software “the foundation of the digital world” and noted that they are present in the “overwhelming majority”. computers in use today.

CISA has previously warned that organizations should expect to deal with Log4j issues for “a long time,” and the Department of Homeland Security (DHS) recently advised that its exploitation should be expected for at least a decade. The incident was essentially the perfect demonstration of the severity and damage of open source software security issues, affecting a widely used Java logging tool that is embedded in countless software packages. In March, security researchers noted at least three million vulnerable instances in a study, many of which are buried deep in software and difficult to locate and fix without a “materials bill of materials” or similar documentation pointing directly to them. they.

This is not the first time the government has directly addressed the issue, which first emerged in late 2021. The Federal Trade Commission (FTC) has issued a warning that it intends to issue fines to companies that don’t fix it and later experience a breach of personal information attributed to it. The FTC cited the 2017 Equifax breach as a similar example; this too was caused by a known vulnerability in Apache Struts that the credit bureau failed to fix, and led to a $700 million fine after the sensitive personal information of over 100 million people was stolen.

The federal government has supported the use of open source software in its agencies for nearly two decades, but has largely left security to individual departments. The Open Source Software Security Bill would take advantage of CISA’s emerging status as the federal security watchdog to have it draft a risk assessment framework for all agencies. The bill proposes that CISA build on existing frameworks from “government, industry, and (the) open source community” and engage open source developers to troubleshoot and resolve security issues. At present, any use of this framework by critical infrastructure companies appears to be voluntary.

The Biden administration has already taken a step in this direction with its recent executive order requiring open source software used by federal agencies to have a “software nomenclature” available. If the bill passes, certain federal agencies would be required to create Open Source Program Offices (OSPOs) and the Office of Management and Budget (OMB) would be responsible for issuing federal guidelines on the security of open source software. .

Tim Mackey, Senior Security Strategist at Synopsys Cybersecurity Research Centernotes that the proposed open source software security bill follows a path that private industry is already taking with software, but is not necessarily as comprehensive as needed: “The management of open source software is fundamentally different management of commercial software – whether or not that software is on the shelf or created on a contract basis. Securing open source software properly requires an understanding of this and other realities of how open source enters organizations such as the US government.The Open Source Software Act of 2022 (S4913) recommends many activities that have traditionally been the responsibility of an Open Source Program Office (OSPO).For example, it is the responsibility of an OSPO to determine what open source risks are acceptable for an application and the context in which it is deployed.

“While there is a lot to like about S4913, the fact that there is no mention of how the open source software was tested is concerning. There are many software development practices that can create weaknesses in software, some of which depend on the programming language. The capabilities of different testing tools, both commercial and open source, also vary widely. The quality of software testing and the security targets used in testing are also important in open source software than in commercial software,” added Mackey.

Open Source Software Security Bill Makes Needed Changes, But Has Weaknesses

Although the open source software security bill has substantial support, it will face some challenges on the way to passage.

One concerns the upcoming midterm elections, which not only attract the full attention of lawmakers, but also lead to a shortening of the legislative calendar. The bill is very likely to sit until 2023 before further progress is made, and if past cybersecurity legislation is any indication, it could potentially stay even longer as other items take priority.

And although the security of open source software is a very important issue, it is feared that this will focus the government’s attention exclusively on this element to the detriment of the necessary improvement of commercial products. The biggest security vulnerabilities the government has had to deal with recently resulted from weaknesses in Microsoft Exchange and SolarWinds.

Bill would direct CISA to develop a risk framework to assess #opensource code used by the #federal government, and could be passed on to #critical infrastructure companies. #cybersecurity #respectdataClick to tweet

The bill has moved fairly quickly so far, however, moving from committee to the Senate in late September. If passed by Congress, President Biden is generally expected to be in favor of signing it into law, given that the administration’s primary focus is on improving the nation’s cybersecurity defenses. A series of executive orders issued since 2021 have resulted in fairly rapid updates to the defenses of government agencies, critical infrastructure and utility companies.


Comments are closed.