Technology industry representatives and national security officials are convening in Washington this week to consider ways to improve the security of open source software. Open source software is the foundation of a software ecosystem where government officials and researchers are working on ways to improve safety.
Sponsored by the Linux Foundation’s Open Source Security Foundation, the Secure Open Source Software Summit brings together federal agencies, nonprofit organizations, and tech giants.
“This week’s convocation is to confirm with our partners in government and the private sector to ensure we are holding ourselves accountable to the aggressive goals we set last year and to continue to further fuel our momentum. ” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies. said in a statement to CyberScoop. “But we still have a lot of work to do, including tools to automatically generate bills of materials for software and approaches to using AI for more secure open source software.”
Open source software is a core component of virtually all computer systems, but its reliance on volunteers and the fact that anyone can contribute to its repositories can raise major security concerns. In fact, the initial impetus for the January 2022 Open Source Security Summit was an easily exploitable vulnerability found in Apache Log4J software. This vulnerability continues to be exploited nearly three years after its discovery.
Attendees at this week’s summit include government representatives from the Cybersecurity and Infrastructure Security Agency, Office of the National Cyber Director, Department of Energy, Treasury Department, National Science Foundation, National Security Council, Office of Management and Budget, and National Security Agency. . Health Advanced Research Projects Agency and Defense Advanced Research Projects Agency.
Industry representatives include Amazon, Apple, Google, Github, IBM, JFrog, Lockheed Martin, Microsoft, and more.
Nonprofit organizations include the Alperovitch Institute for Cybersecurity Studies, FS-ISAC, ISC2, and the Fintech Open Source Foundation.
The Biden administration has made improving the security of open source software a key priority. At the Black Hat cybersecurity conference in August, the government released the following document: request information When it comes to the best way to protect open source technology, whether that’s by promoting memory-safe languages like Rust that help protect certain subsets of vulnerabilities by default, or whether the federal government dedicates resources to Whether it’s something broader, like where to focus.
On Tuesday, CISA released its Open Source Software Security Roadmap. The agency is concerned about two key concerns: the cascading risk of vulnerabilities in open source projects and the potential impact on the supply chain from compromised repositories, where malicious updates could lead to the spread of backdoors and scripts. An overview was given.
“Open source software has fostered tremendous innovation and economic benefits, including serving as the foundation for technology used in the federal government and in all critical sectors,” said Eric Goldstein, Executive Assistant Director for Cybersecurity. says. statement. “Because of this prevalence, we know that vulnerable or malicious open source software can pose systemic risks to economies and critical functions.”
This roadmap has several overarching goals: establishing CISA’s role in supporting open source software, increasing usage and risk visibility, reducing federal risk, and strengthening the open source software ecosystem. We sought.
Dan Lorenc, CEO of Chainguard and member of OpenSSF, said that while the roadmap is encouraging, it lacks sufficient focus on funding work to secure open source software. . “They talked about aid, they talked about aid, but I don’t really know what that aid means because the word ‘funds’ never comes up here,” Lorenz said.
Lorenz acknowledged that providing that funding is no easy task. Some developers and maintainers of open source projects have day jobs that prohibit them from making payments to outside projects. And the open nature of open source programs, which anyone can clone or attempt to contribute to, benefits the broader open source community from receiving federal funding more easily. This means that they are much more diverse and fragmented than associations or large organizations.
“It’s very difficult for anyone, not just CISA, not just the U.S. government, to engage in a constructive way with the broader open source community,” Lorenc said.
Asked about the funding gap in the roadmap, a CISA spokesperson said the agency “appreciates any feedback from the open source community.” A spokesperson said the roadmap was a “starting point” and asked the open source community for input “to inform the government’s next steps”.
Omkar Arasaratnam, general manager of OpenSSF, said one of the key topics at this year’s summit will be how artificial intelligence fits into securing open source software.
“At OpenSSF, we believe that AI can be used to address a whole class of open source security problems. We expect that programs like the AI Cyber Challenge with DARPA will lead to significant advances in this area.” said Mr. Arasaratnam.
Arasaratnam said the summit will focus on four areas of work related to AI security. Security for open source AI packages like Falcon LLM. Enhancing cybersecurity with AI and applying open source input/output security in AI.
Future OpenSSF the purpose Expand education for open source developers through security guides and classes, improve security assessments, strengthen open source tools, and increase funding for vulnerability discovery tools.
Moran Ashkenazi, a summit attendee and chief information officer at JFrog, said companies in attendance were encouraged to “contribute, not just consume.” Open source projects are the foundation of the digital economy, but many large companies use their free software while giving little back. Encouraging companies to contribute to open source repositories can improve the quality of code for everyone.