Request for Information on Open-Source Software Security Released by ONCD

Open-source software

Open-source software is a team effort involving both private and public sectors. However, keeping it secure can be challenging. With many people working on the code, security might be overlooked, increasing the risk of vulnerabilities. The Open-Source Software Security Initiative (OS31) aims to manage open-source security processes.

After the Log4Shell vulnerability, securing open-source software became a top priority for the federal government. OS31’s goals include:

  • Unifying the government’s stance on open-source security
  • Creating a strategic plan for securely using open-source software
  • Encouraging long-term investment in open-source security
  • Building trust and collaboration with the open-source community

Soon after OS31 launched, agencies like the Office of the National Cyber Director (ONCD) and the Cybersecurity Infrastructure Security Agency (CISA) requested public feedback on long-term open-source security priorities.

In August 2024, the White House summarized the feedback. It highlighted three main areas for improvement:

  1. Securing Open-Source Foundations Respondents stressed the need for standards to secure the basics of open-source software. They suggested automating the conversion of old code into more secure formats to improve the ecosystem’s safety. Securing the infrastructure, such as package repositories and creating standardized software bills of materials (SBOMs), was also recommended.
  2. Supporting Open-Source Communities and Governance Respondents want the government to lead the management of open-source communities. They propose moving from volunteer-based maintenance to a shared responsibility model. Suggestions include professional training and possibly paying independent developers. A federal Open-Source Program Office (OSPO) could help by providing consistent policies across the ecosystem.
  3. Incentives for Security There’s a push for the government to offer legal protections and funding to independent developers, especially for software used in critical areas. Improved funding and oversight could help fix vulnerabilities. A new NIST framework, such as a Responsible Open-Source Software Consumption Framework, might be developed to support this.

The next steps involve advancing research and development on open-source security and addressing the feedback received, such as improving package repositories and SBOMs and partnering with open-source communities.

👁 Post Views =21k

Share this post :

Facebook
Twitter
LinkedIn
Pinterest