Open-source software security bill advances

A bill that promises to make open-source software has passed an important milestone with the senate committee voting 11-1 to bring it before the full senate.

Sponsored by U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), the bill appears to enjoy rare bi-partisan support among both Democrats and Republicans.

Specifically, The Securing Open Source Software Act would direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate how open-source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators.

The legislation also requires CISA to hire professionals with experience developing open-source software to ensure that government and the community work together, and for the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open-source software.

Finally, the bill would require the CISA Cybersecurity Advisory Committee to create a software security subcommittee.

That all represents some level of progress, but, as always, the devil is going to be in the details. An analysis of 41,989 open-source components embedded in the top 44 popular projects managed by the Apache Software Foundation (ASF) conducted by Lineaje, a provider of a platform for securing software supply chains, more than a quarter (26%) of the known vulnerabilities are not patchable by the application development team that deploys them. In addition, the report finds 64% of the vulnerabilities analyzed have no patch yet.

Overall, 68% of the vulnerabilities analyzed are created because of dependencies that were created when an open-source software project included a component or package developed by another maintainer of open-source software, so even if an organization wanted to update an application that included open-source components, it probably couldn’t. Overall, the report concludes 90% of open-source dependencies are transitive in the sense that they are created when maintainers of a project included an open-source component created by another entity that has vulnerabilities. Only 10% of the vulnerabilities discovered are the result of a dependency that an application development team could address on their own, the report finds.

Despite these issues, there is a major effort underway to help maintainers of open-source projects to build more secure software. The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, is leading an initiative to better secure open-source software by focusing on ten streams of investment that, in total, will require more than $150 million in funding to drive greater adoption of DevSecOps best practices among maintainers of open source software projects.

Unfortunately, many open-source software projects are maintained by a small number of programmers that voluntarily contribute their time and effort to build components that others are free to use. Like any other developer, the amount of security expertise those individuals have is limited. Despite all interest in open-source software emanating from Congress and the White House, the feasibility of achieving those goals will require a lot more than a presidential signature approving an act of Congress.