What the Free Software Securing Act does and what it lacks


Getty Images/iStockphoto

There’s at least one thing Republicans and Democrats can agree on in the US Senate: the importance of open source software. Seriously.

As US Senator Gary Peters (D-MI) said last week, “Open source software is the bedrock of the digital world.His partner across the aisle, Rob Portman (R-OH), agreed, saying, “The computers, phones and websites we all use every day contain open source software that is vulnerable to cyberattacks. .”

Therefore, “Bipartisanship Free Software Securing Act [PDF] will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

This bill proposes that since Log4j Security explode in 2021, and its continuous aftershocksshowed how vulnerable we are to open source code attacks, the Cybersecurity and Infrastructure Security Agency (CISA) must help “ensure that open source software is used securely by the federal government, critical infrastructure and others”.

After all, the September 22 government statement introducing the legislation added: “The overwhelming majority of computers in the world rely on open source code.” This is far from the first time that the federal government has noticed how vital free software has become for everyone. In January, the United States Federal Trade Commission warned that it punish companies that do not fix their Log4j security issues.

The US government has long supported open source software. For example, since 2000 the National Security Agency has helped create Security-Enhanced Linux (SELinux). And, in 2016, then-US chief information officer Tony Scott proposed an open-source-friendly coding policy that required that all “new software developed specifically for or by the federal government be made available provision for sharing and reuse among federal agencies”. includes a pilot program that will result in the public release of some of this new federally funded custom code.”

Also: XeroLinux might be the prettiest Linux desktop on the market

The Securing Open Source Software Act, however, shifts open source from the realm of policy and regulatory decisions to federal law. This bill will require CISA to develop a risk framework to assess how open source code is used by the federal government. CISA would also decide how the same framework could be used by critical infrastructure owners and operators.

According to Open Source Security Foundation (OpenSSF) in his analysis of the Act, the “CISA would produce an initial assessment framework for open source code risk managementincorporating government, industry and community open source frameworks and software security best practices. »

In short, CISA would not try to reinvent the wheel, but rather use the best of existing open source security techniques. This follows in the footsteps of President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity, which stated that developers must provide “a purchaser an SBOM [Software Bill of Materials] for each application.”

The law will also require CISA to identify ways to mitigate the risks associated with open source software. To do this, CISA needs to hire open source developers to fix security issues. It also proposes that certain federal agencies begin Open Source Program Offices (OSPO). Finally, it will require the Office of Management and Budget (OMB) to fund a CISA software security subcommittee and issue federal guidelines on how users can secure open source software.

People who follow open source security closely have heard a lot about it. As OpenSSF noted, “Some of the ideas sound familiar to us – for example, the use of SBOM, the importance of development, build, and release process security practices), and a call for a security framework. ‘Risk Assessment [echo] our Risk Assessment Dashboard feed of our Mobilization plan.”

But, surprisingly, the bill misses other points. For example, all software, not just open source, should be checked for potential risks. As Brad Arkin, senior vice president of Cisco and chief security and trust officer, testified before Congress about Log4J: “Open source software did not fail, as some have suggested, and it would be wrong to suggest that the Log4j vulnerability is evidence of a single flaw or increased risk with open source software. The truth is that all software contains vulnerabilities due to inherent flaws in human judgment in designing, integrating, and writing software.”

Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO

Yet, as flawed as the bill is, OpenSSF says it is “committed to collaborating and working both upstream and with existing communities to advance open source security for all. We look forward to Collaborate with decision makers around the world to improve the security of the software we all depend on.”

OpenSSF isn’t the only group that wants to work with the government to fundamentally improve open source security, but also has concerns. Open Source Initiative (OSI) US Policy Director Deb Bryant worries that Congress is “building a framework that aims to treat open source as a special class of software instead of solving it for all software.”

Heather Meeker, a well-known open source lawyer and OSS Capital the more optimistic general partner added, “It’s good to see a bipartisan effort to improve security management in software infrastructure, including open source software. The private market has long been calling for this improvement, via customer demands and expectations for software and cloud. service providers. But government oversight can help accelerate improvement efforts outside of trade agreements with vendors, or in situations where vendor market power allows vendors to push back against customer demands. »

Of course, just because a bill reaches Congress doesn’t mean it will become law. However, his the committee advanced the bill in the Senate September 29. It’s very fast for any bill on any issue. If it makes it to Congress, there is no doubt that Biden will sign it. With any luck, securing open source software will become the law of the land in 2023.

Related stories:


Comments are closed.