The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has outlined at a broad level its plans to carve out a role in helping secure open source software, both for federal government agencies using this software and across the ecosystem itself.
In an Open Source Software Security Roadmap released on Tuesday, the agency said it wants to build up the capabilities to better understand the complex open source ecosystem and create visibility around the security risks in this landscape. As part of this, it plans to create a framework to help prioritize security risks in open source software that it will use to assess - and where necessary, publish alerts for - threats to critical open source software dependencies. Part of the agency’s plan also revolves around reducing risks for federal agencies, through evaluating how well various security capabilities or services would potentially help agencies and creating best practices guidance for federal agencies related to open source program offices, which help organizations organize and manage open source program operations.
“As a public good, open-source software is supported by diverse and wide-ranging communities—which are composed of individual maintainers, non-profit software foundations, and corporate stewards,” said the agency on Tuesday. “CISA must integrate into and support these communities, with a particular focus on the critical OSS components that the federal government and critical infrastructure systems rely upon.”
Over the years, different flaws in open source software - including Log4j in 2021 and Heartbleed in 2014 - have shed light on how difficult this ecosystem is to secure. Open source developers and maintainers have limited time, funding and resources, especially as it relates to security. And across the ecosystem, the prevalence of open source software makes it difficult to identify which projects and tools are considered critical for the nation’s security.
CISA attempted to address some of these issues, laying out plans for supporting security education for open source developers, publishing best practices on securely incorporating open source software for critical infrastructure organizations and federal agencies, coordinating vulnerability disclosure and response policies for open source flaws and focusing “on the requirements, challenges, and opportunities of automatically generating dependency data within the open source ecosystem.”
“It’s pretty remarkable to look back on that dark place we found ourselves in during Log4j, and all the great work that’s been accomplished by so many in the open source community since."
CISA also said that it hopes to "show up as an OSS community member" and “encourage collective action from and greater accountability by” open source software entities like package managers and code hosting services. However, David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm, ForAllSecure, said he’s concerned here that CISA’s roadmap has a “strategic alignment problem." Instead of OSS maintainers, he argued, CISA could leverage its strengths to help organizations that rely on vulnerable open source libraries, like the energy sector, for instance.
“Where they lack is when they switch to, 'we're now going to help the OSS community,' as opposed to, 'we're going to seek changes in Congress to how we incorporate this in our critical [entities], and act as advisors,' 'we're going to work with the FDA to make sure that we have consistency across guidelines in agencies, so that a vendor developing open source doesn't have to deal with seven different agency requirements,'" said Brumley. "Those are the sorts of things that they could do."
Dan Lorenc, CEO and co-founder of Chainguard, said while “CISA did a good job recognizing work will have to happen upstream, and CISA employees will need to engage directly with communities,” the government collaboration model here can’t be “you push, we’ll steer.”
“Contributing to OSS is hard, and typically takes the form of funding or hands on keyboard help,” said Lorenc. “CTRL+F ‘funding’ does not yield any results in this document. The government doesn’t have a great reputation for helping out with direct code or other contributions, but they do have the ability to help fund work already being done to achieve many of these roadmap items, such as memory safety, vulnerability remediation and SBOM tooling.”
Entities from the open source software community and companies that depend on open source projects have stepped up over the past few years to try to tackle the massive problem of security, and CISA said it wants to align its efforts with these existing initiatives. Last year, for instance, the Open Source Security Foundation (OpenSSF) announced the Alpha-Omega project to help the maintainers of thousands of critical open source software projects find and fix security vulnerabilities in their code. Several technology companies have also committed resources aimed at helping open source developers and maintainers better improve their code’s security, such as Google’s OSS-Fuzz service for open source project fuzzing.
“It’s pretty remarkable to look back on that dark place we found ourselves in during Log4j, and all the great work that’s been accomplished by so many in the open source community since,” said Lorenc. “There has been a huge push in the U.S. and around the globe to better address the security of open source. The White House held several meetings, including one this week, there is the Securing Open Source Software Act and open source and supply chain security showed up as key issues across all kinds of legislative and regulatory efforts.”