The open source community outlined key initiatives that can immediately address goals for hardening the software supply chain.
Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger and other relevant government officials received a plan that major companies have agreed to help fund and support, in the interest of securing the open source software undergirding their technology.
“The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, [the Office of the National Cyber Director], [the Cybersecurity and Infrastructure Security Agency], [the National Institute of Standards and Technology], [the Department of Energy], and [the Office of Management and Budget] to reach a consensus on key actions to take to improve the resiliency and security of open source software” reads a press release Friday.
The Linux Foundation, and the Open Source Security Foundation which it supports, released a white paper describing the full plan. A summary provided in the press release points to areas requiring attention before, during and after the software development process.
To improve open source security production, for example, the plan highlights a need to eliminate non-memory safe coding languages. Such languages, like Cobol and C++ can be faster and more efficient but are more prone to to certain vulnerabilities.
The plan would also involve identifying and auditing certain libraries and deploying incident response teams as needed, facilitated by tools like a standardized software bill of materials.
According to the release, the plan “outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions … The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.”
“A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan,” the release adds. “Those companies are Amazon, Ericsson, Google, Intel, Microsoft and VMWare, pledging over $30M. As the plan evolves, further funding will be identified, and work will begin as individual streams are agreed upon.”
Debates that have been simmering for years about who bears responsibility for what in a secure software development process, and how to appropriately shape incentives, are coming to a boil.
In accordance with Executive Order 14028, the National Institute of Standards and Technology has released and updated a series of new guidance documents for agencies and other enterprise customers to secure their software supply chains. The agency has said more work on the responsibilities of supply chain providers—such as those producing foundational information and communications technologies—is on the agenda.
At a hearing before the House Science Committee Wednesday, Brian Behlendorf, general manager of the Open Source Security Foundation, testified on the importance of addressing security of open source libraries serving the internet’s routing system in the context of prioritizing where the community supporting open source software should focus its attention.
“There's been really exciting advances in the last few years [in the performance of memory safe coding languages],” Behlendorf said. “I think the time is ripe to really consider looking at a lot of fundamental libraries and parts of the internet architecture, such as the software that runs the domain name system, as opportunities to, again, eliminate entire categories of software vulnerabilities.”