Securing Open Source Software – Security Boulevard


Good writing arguing that open source software is a critical national security asset and should be treated as such:

Open source is at least as important to the economy, public services, and national security as proprietary code, but lacks the same standards and safeguards. It has the qualities of a public good and is as essential as national roads. Given the value of open source as a public good, an institutional structure must be built to support and secure it.

It’s not a new idea. The open source code was called the “roads and bridges” of the current digital infrastructure which justifies the same “concentration and financing.” Google’s Eric Brewer explicitly referred to open source software as “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several countries have adopted regulations that recognize open source projects as important public assets and at the heart of their most important systems and services. Germany wants to treat open source software as a public good and has launched a sovereign technology fund to support open source projects “just as much as bridges and roads”, and not just when a bridge collapses. The European Union has adopted a formal agreement open-source strategy which encourages him to “explore the opportunities for support services dedicated to open source solutions [it] considers critical.

Designing an institutional framework that would secure open source requires addressing negative incentives, ensuring efficient allocation of resources, and imposing minimum standards. But not all open source projects are equal. The first step is to identify projects that warrant this level of scrutiny, i.e. projects that critical to the society. CISA defines critical infrastructure as industrial sectors “so vital to the United States that [its] incapacitation or destruction would have a debilitating impact on our physical or economic security or on public health or safety. Efforts should target open source projects that share these features.

*** This is a syndicated blog from the Security Bloggers Network of Schneier on safety written by Bruce Schneier. Read the original post at:


Comments are closed.