White House releases report on securing open-source software – CyberScoop

By

The White House said it is making progress on its work to better secure open-source software, releasing an end-of-year report that details efforts on a transparent and collaborative software development process that underlines nearly every type of software.
The Log4Shell vulnerability discovered in 2021 laid bare both the ubiquity of open-source code and the potential danger if not properly secured. While open-source software is not inherently more vulnerable than proprietary code, the distributed nature of the development and use of such software can have widespread impact if vulnerable.
“Almost every software application, website, mobile device, and Internet of Things device — including those used by small businesses, the Federal Government, and the national security community — incorporates open-source software to enable and scale rapid application development processes,” the administration noted in the Tuesday report.
These unique characteristics lead the administration to champion the securing of open-source software in the national cybersecurity strategy and subsequent implementation plan through the Open-Source Software Security Initiative (OS3I), an inter-agency working group.
The end-of-year report goes over the four areas the administration focused on last year through the OS3I: unifying the federal government’s voice on open-source software security, establishing a strategic approach to secure such software, encouraging long-term investment, and engaging and building trust with the open-source community.
According to the report, one major roadblock is promoting best practices for secure development in open-source projects, since the entire process is often decentralized and voluntary. A report of the Log4Shell incident by the Cyber Safety Review Board noted that open-source projects “generally do not have dedicated coordinated vulnerability disclosure and response teams that investigate root causes of reported vulnerabilities and work to bring them to resolution.”
Another concern is that due to the ubiquitous nature of open-source code, many companies don’t even know what they have when there is a major vulnerability or when they suffer a zero-day exploitation, the report notes. Even now, versions of the vulnerable Apache Log4j software are still being found, years later. Additionally, companies often profit from the work of these voluntary projects without contributing back either through funds of other resources, leaving key projects under-resourced.
“Efforts to secure open-source software are challenged by a range of factors, including decisions within companies to reserve security-related features for commercial products built upon open-source software, inconsistent contributions to help sustain open-source software projects from corporate consumers, and the decentralized ownership and varied development processes of open-source projects, with contributions coming from entities with varying resources, capabilities, and priorities,” the report states.
Last year, the National Science Foundation penned a “dear colleague letter” encouraging proposals to secure the open-source software ecosystem. The Cybersecurity and Infrastructure Security Agency in September published its own roadmap to secure open-source in the federal government and broader ecosystem. CISA has leaned heavily on promoting both memory-safe languages to drastically reduce the number of vulnerabilities and software bill of materials.
The administration also released a request for information on open-source software security, asking for expert opinions on securing open-source software
The White House report notes that the OS3I will continue in 2024 by “taking stock of the research and information submitted through the RFI to inform future OS3I workstreams and priority actions.”
Additionally, the administration will “continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
The OS3I will also continue to reach out to the community to “identify and highlight policy solutions that improve the security of the open-source software ecosystem.”

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *