2023 has been the year for regulators to really get their teeth into the blight of security issues that continues to plague the open source community. Last month, nearly 100 government officials and private sector executives convened in a two-day summit hosted by the Open Source Security Foundation (OpenSSF) to discuss and draft a new long term plan for securing publicly available code.
The U.S. Cybersecurity Infrastructure and Security Agency (CISA), notably, laid out its roadmap, including four key priorities to secure open source software:
- Establishing CISA’s role in supporting the security of open source software
- Driving visibility into open source software usage and risks
- Reducing risks to the federal government
- Hardening the open source ecosystem.
In an interview with IT World Canada, chief executive officer of SlimAI John Amaral affirmed that government intervention is justifiable, especially as countless public sector agencies rely on open source technologies and enjoy their numerous benefits like accelerated innovation and cost efficiencies. He, however, refrained from calling open source “a public good.”
He explained, “Many open source projects are staffed by corporate engineers in pursuit of corporate objectives. I think we often forget that when painting this picture of the selfless maintainer toiling away for the sheer joy of open source.”
Software vendors who are monetizing open source, he added, need to have their own programs in place beyond what the government implements to really see progress.
In August, OpenSSF released the Open Source Consumption Manifesto (OSCM), urging the software industry to take responsibility for open source security. Both commercial and non-commercial organizations were called on to hone their open source security measures and, more importantly, to acknowledge that not all vulnerabilities are actively curated. Scoring systems such as CVSS used for CVEs, can be a trailing indicator, the OSCM said.
Amaral concurred that “the bigger problem may be with the vulnerability scanners themselves.” He added, “in an effort to be comprehensive, we’ve seen a lot of instances of CVEs that are either overstated or irrelevant.”
The U.S. Securities and Exchange Commission (SEC), in fact, recently announced it is suing SolarWinds for allegedly exaggerating the cyber controls in place and ignoring red flags related to its Orion software, which was targeted by one of the worst cyber-espionage incidents in U.S. history in 2019, impacting around 18,000 customers, out of which 9 federal agencies and about 100 private sector companies were compromised.
Supply chain attacks the likes of CodeCov, Log4J, and SolarWinds were a lesson, Amaral noted, and he stressed, “Sometimes you need a rallying cry to get people motivated to act.”
This attack did radically change the face of both supply chain and open source security standards, with the U.S. government starting to require, for instance, SBOMs (software bill of materials) which are inventories of the components of software, their origins, licenses, and dependencies.
“Mostly, developers are unaware of what’s occurring upstream from them,” Amaral said. “They rely on open source libraries and packages, which get packaged into a container and shipped to production, all without ever really knowing much about the software they’re depending on and are responsible for.”
Accountability and visibility throughout the supply chain for everyone utilizing open source tools has been a focus for SlimAI, Amaral stressed. The startup, born out of an open source project helps businesses optimize and secure their software containers.
In April it announced the launch of its automated container hardening feature. Built into existing CI/CD pipelines, this feature automatically scans a company’s containers for vulnerabilities and removes unnecessary files and other attack surfaces.
The company, Amaral explained, wants to ensure that software vendors relying on open source libraries to create a salable product secure their software and communicate risks to consumers.
“That’s what we’re helping businesses do at Slim,” Amaral said. “Software vendors need to be able to account for and trust their upstream dependencies, and communicate that trust and security downstream to customers.”
