Identification of critical open source software in Europe


FOSSEPS stands for Free and Open Source Solutions for European Public Services and is an initiative of the European Commission to identify the most critical open source software used by European public services.

Open source software powers everything from modern servers to the IoT to desktop computers at work and is also at the heart of European Union systems. This is so important that the European Commission’s Open Source Program Office decided to offer bug bounties on popular open source software, as described in “The European Union will pay to find bugs in open source software “.

The problem with the bug bounty was knowing which apps were going to be tagged as critical or important in order to allocate resources to them. This is the same problem faced by the Open Source Security Foundation in its efforts to make open source software sustainable and for which the Criticality Score Project was set up. This has already led to the identification of critical OSS projects, most recently with the release of “Census II of Free and Open Source Software – Application Libraries”, as we reported last month.

The FOSSEPS initiative has a similar goal of identifying the most critical software used in the EU public sector, but the approach in this case is to conduct a survey.

In this project, “critical software” is software that is very important for European public services (EPS) and whose continued use and existence is threatened. The importance of a piece of software may be due to the fact that it is widely used within an organization or because it
it supports the key processes of this organization. From a usage perspective, the software may not be well supported through internal support contracts or through inadequate/bad responses from the software community that maintains it. From a sustainability perspective, the continued existence of the software may be at risk due to the poor health of the software project community and their inability to sustain it.

The results of the survey collection will be as follows:

  • Build a European catalog of open source applications (with data taken from national catalogs) and publish it on the web for public search and use.
  • Create an inventory of Europe’s most critical open source software used by European public services.
  • Create a framework for European cooperation on open source: encourage and establish a framework, for example via a European group of users of open source public services (EPS-OS-UG), for the sharing of knowledge, experiences and open source initiatives at European level.

The survey consists of nine questions divided into three sections. The first is off-the-shelf, off-the-shelf open-source software applications. The second relates to open source dependencies, such as software libraries and frameworks that an organization uses to develop applications. The third section asks questions about open source in your organization, although many questions are interspersed in the other two sections.

Respondents must also upload two spreadsheet files. In the first, they list the most critical open source applications or infrastructure elements for their organizations and estimate their criticality using the following model:

  • FOSS project name [Mandatory]
  • FOSS Project URL
  • FOSS project category [Mandatory]
  • Total number of instances of this type of software (both FOSS and proprietary)
  • Maximum degree of importance of this FOSS project for your organization [Mandatory]
  • Explanation of significance level
  • Project governance is
  • Your assessment of the health of this project [Mandatory]
  • Explanation of your assessment
  • Type of support contract your organization has for this FOSS project [Mandatory]
  • Details about your support contract
  • Your contribution to this FOSS project
  • Details about your contribution to this FOSS project

The second worksheet is used to list the most important FOSS frameworks/libraries used in respondents’ software development. It repeats most of the questions above and also asks for the number of applications in which each dependency is used.

The survey also includes questions that help the committee understand an organization’s use and support of open source applications in the areas of business and infrastructure, as well as the use and support load open source dependencies (i.e. libraries and frameworks) from a software development point. of view:

  • Is your organization aware of or has it been affected by any of these incidents/vulnerabilities?
  • Heartbleed (2014)
  • Removed LeftPad from NPM (2016)
  • Event Stream Hack (2018)
  • Log4shell (2021)
  • Scuttling of colors. js/fake (2021)
  • Does your organization have an explicit policy regarding open source software?
  • Does your open source policy include rules about support for open source used within your organization?
  • Does your open source policy include rules about contributing to open source projects used within your organization?
  • Does your organization have a dedicated contact person or structure (sometimes also called the “Open Source Program Office”) for questions related to open source software?
  • Does your organization develop (or have developed) open source software applications? If yes, please indicate the approximate number of bespoke applications currently in use?
  • Is your organization aware of recursive software dependencies in the software development tools/frameworks you use?
  • Does your organization take specific steps to address security issues that may affect the recursive open source dependency tree used by your applications?

And, of course, it also asks which public organization respondents answer to.

This initiative marks the latest trend in institutional awareness of free software. EU awareness began with the Free and Open Source Software Audit (FOSSA) project in 2019, thanks to EU Pirate Party MEP Julia Reda, who started the project thinking Enough is enough after the discovery of severe vulnerabilities in key infrastructure components like OpenSSL. This prompted her to involve the European Commission in its contribution to Internet security. See EU Bug Bounty – Software Security as a Civil Right to learn more.

This was followed in 2022 by the European Commission’s Open Source Program Office deciding to offer bug bounties on popular open source software. Check the European Union will pay to find bugs in open source software to learn more. And last but not least and quite recently, the Linux Foundation’s Alpha Omega project with the OpenSSF founded by megacorps like Microsoft and Google. From “New Initiative to Take Open Source Software Security Seriously”:

The fact that Microsoft and Google are pouring money into the Alpha-Omega project, with an initial investment of $5 million, is further proof of its importance. The narrative is that given the scarcity of resources to allocate, bug bounties like the European Union’s and the Linux Foundation’s SOS awards are welcome, but not sufficient, as they are small in scale. The Linux Foundation found that a broader and more holistic attempt should be used. For this reason, they started the Alpha Omega initiative.

Of course, other related activities like securing the software supply chain, as in Sigstore, are already running in parallel. Does Sigstore really secure the supply chain?

To create useful software, we don’t reinvent the wheel, but build on the work already done in the form of libraries.
The problem is that even a mediocre open source project can have such dependencies which themselves depend on others, forming a length chain. This is not a problem in itself, unless malicious code has been implanted anywhere in this chain. After all, it only takes one npm install command to get infected.

The general conclusion is that the OSS, once an absurd minority movement, is now present everywhere, supporting the functionality of modern society. As such, he needs all the attention he can get. The Heartbleed bug occurred because the OpenSSL Software Foundation, which is responsible for maintaining the OpenSSL library, the cornerstone of secure Internet transactions used by millions of websites and organizations, received only 2 000 dollars in donations a year and only had ONE full-time employee working at the library. These days, that would be considered unacceptable. OSS developers also have to make a living, as Patrice-Emmanuel Schmitz, lawyer at Joinup, puts it:

Like bread and beer, free software development is not free: developers need incentives, let’s just say the money they need to buy their bread and beer or to provide their families with a decent life.

More information

Help us identify critical open source used in European public services

Related Articles

The European Union will pay to find bugs in open source software

Census II lists critical application libraries

New Initiative to Take Open Source Software Security Seriously

Taking Open Source Criticality Seriously

Does Sigstore really secure the supply chain?

EU Bug Bounty – Software security as a civil right


Comments are closed.