September 18 – In a recent two-day summit that included technology companies, banks and industry groups, the White House pushed for stronger standards on behalf of open-source software development.
The Biden administrations wants to see companies expand use of inventories, known as software bill of materials, which include information about open source components, licensing and version information for components and whether or not components contain known vulnerabilities.
The White House also recommended for companies to conduct exercises that test the legitimacy of software bill of materials, as to see how easily a vulnerability can be exploited or remedied.
The open-source security conversation
This latest summit in Washington mirrored a previous summit in January of 2022, which took place after the disclosure of a vulnerability in Log4j, a popular open-source program that tracks network activity.
The Log4j disclosure caused panic within the cyber security community and many concerned experts spent the Christmas holiday working.
Cyber security and Infrastructure Agency director, Jen Easterly, described Log4j as one of the most severe vulnerabilities that she has observed across her entire career.
According to one estimate, 96% of codebases contain open-source code.
CISA has previously commented on two critical risks. The first consists of the “cascading” impact of vulnerabilities within open source components (ex. what happened with Log4j). The second consists of supply chain attacks on open-source repositories.
A new open source plan
The U.S. has finally released a much anticipated plan that describes how it will enhance open-source security across ecosystems. The roadmap outlines four goals, which should be achieved between fiscal years 2024 and 2026.
- Establish CISA’s role in supporting secure open-source software
- Increase visibility into open-source applications and vulnerabilities
- Mitigate risks to the federal government
- Advance open-source software ecosystem security