What the Free Software Securing Act does and what it lacks

What the Free Software Securing Act does and what it lacks

handwritten open source with related word cloud

Getty Images/iStockphoto

There’s at least one thing Republicans and Democrats can agree on in the US Senate: the importance of open source software. Seriously.

As US Senator Gary Peters (D-MI) said last week, “open source software is the foundation of the digital world.” His partner across the aisle, Rob Portman (R-OH), agreed, saying, “The computers, phones and websites we all use every day contain open source software that is vulnerable to cyberattacks.”

Therefore, “The Bipartisan Act on Securing Open Source Software [PDF] will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

This bill proposes that since the Log4j security explosion of 2021 and its continued aftershocks have shown how vulnerable we are to attacks from open source code, the Cybersecurity and Infrastructure Security Agency (CISA) must help “ensure that open source software is safely used by the federal government, critical infrastructure and others.”

After all, the September 22 government statement introducing the legislation added: “The overwhelming majority of computers in the world rely on open source code.” This is far from the first time that the federal government has noticed how vital free software has become for everyone. In January, the US Federal Trade Commission warned that it would punish companies that fail to address their Log4j security issues.

The US government has long supported open source software. For example, since 2000 the National Security Agency has helped create Security-Enhanced Linux (SELinux). And, in 2016, then-US chief information officer Tony Scott proposed an open-source-friendly coding policy that required that all “new software developed specifically for or by the federal government be made available provision for sharing and reuse among federal agencies”. includes a pilot program that will result in the public release of some of this new federally funded custom code.”

Also: XeroLinux might be the prettiest Linux desktop on the market

The Securing Open Source Software Act, however, shifts open source from the realm of policy and regulatory decisions to federal law. This bill will require CISA to develop a risk framework to assess how open source code is used by the federal government. CISA would also decide how the same framework could be used by critical infrastructure owners and operators.

According to the Open Source Security Foundation (OpenSSF) in its analysis of the law, “CISA would produce an initial assessment framework to manage open source code risks, incorporating government, industry, and community open source frameworks and best security software practices.”

In short, CISA would not try to reinvent the wheel, but rather use the best of existing open source security techniques. This follows in the footsteps of President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity, which stated that developers must provide “a purchaser an SBOM [Software Bill of Materials] for each application.”

The law will also require CISA to identify ways to mitigate the risks associated with open source software. To do this, CISA needs to hire open source developers to fix security issues. He also proposes that some federal agencies create open source program offices (OSPOs). Finally, it will require the Office of Management and Budget (OMB) to fund a CISA software security subcommittee and issue federal guidelines on how users can secure open source software.

People who follow open source security closely have heard a lot about it. As OpenSSF noted, “Some of the ideas sound familiar to us – for example, the use of SBOM, the importance of development, build, and release process security practices), and a call for a security framework. ‘Risk Assessment [echo] our Mobilization Plan Risk Assessment Dashboard feed.”

But, surprisingly, the bill misses other points. For example, all software, not just open source, should be checked for potential risks. As Brad Arkin, senior vice president of Cisco and chief security and trust officer, testified before Congress about Log4J: “Open source software hasn’t failed, as some have suggested, and it would be wrong to suggest that the Log4j vulnerability is evidence of a single flaw or increased risk with open source software. The truth is that all software contains vulnerabilities due to inherent flaws in human judgment in design, software integration and writing.

Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO

Yet, as flawed as the bill is, OpenSSF says it is “committed to collaborating and working both upstream and with existing communities to advance open source security for all. We look forward to Collaborate with decision makers around the world to improve the security of the software we all depend on.”

OpenSSF isn’t the only group that wants to work with the government to fundamentally improve open source security, but also has concerns. Deb Bryant, US policy director of the Open Source Initiative (OSI), worries that Congress is “building a framework that aims to treat open source as a special class of software instead of solving it for all software”.

Heather Meeker, a well-known open source attorney and general partner at OSS Capital, added more optimistically, “It’s good to see a bipartisan effort to improve security management across software infrastructure, including open-source software. The private market has long demanded this improvement, via customer demands and expectations of software and cloud service providers. But government oversight can help accelerate improvement efforts outside of trade agreements with vendors, or in situations where vendor market power allows vendors to push back against customer demands.

Of course, just because a bill reaches Congress doesn’t mean it will become law. Still, his committee advanced the bill to the Senate on Sept. 29. It’s very fast for any bill on any issue. If it makes it to Congress, there is no doubt that Biden will sign it. With any luck, securing open source software will become the law of the land in 2023.

Related stories:

Similar Posts

Leave a Reply

Your email address will not be published.