Feds Working to Secure Open-Source Software

Open source software offers greater agility, flexibility and transparency to keep pace with the evolving threat landscape. Now federal agencies are honing in on boosting security in an open-software world.

President Biden’s 2021 cybersecurity executive order catalyzed government’s robust approach to cybersecurity and called for agencies to increase visibility into and detection of cybersecurity vulnerabilities and threats to agency networks.

“What the executive order does is it recognizes that fundamentally we are not going to make this space secure. What we are going to do is we’re going to make it defensible. And so we’re employing new policies and new ways of thinking about security so that you are no longer looking at just the perimeter. We are looking at everything inside that perimeter,” Director of Federal Cybersecurity at the Office of the National Cyber Director Phil Stupak said during GovCIO Media & Research’s Zero Trust event in October.

Since the executive order was released, agencies have developed additional policies — like the Securing Open Source Software Act of 2022 and the memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices — to continuously improve security and protect the supply chain.

As agencies move toward a more transparent approach for software development, they’re turning to solutions like software bills of materials (SBOM) and open source to provide a formal record containing the details and supply chain relationships of various components used in building software and make software more accessible.

Open-source software is code that is designed to be publicly accessible. This means anyone could inspect, modify or enhance it. The cross-government transition to open source software provides flexibility to free agencies from vendor lock-in and enable them to scale and change with the environment.

“Open-source software brings added flexibility to government-off-the-shelf software production since government developers can now focus on the application of software rather than solving a problem that’s already been solved,” Defense Digital Service Expert Nicole Thompson told GovCIO Media & Research.

Introduced earlier this year, the Securing Open Source Software Act of 2022 would “establish the duties of the director of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security,” requiring CISA to assess open source software components used directly or indirectly by federal agencies. SBOMs play a critical role in the bill as they enable CISA to assess the components of open-source software.

Sen. Rob Portman said during a Sept. 28, 2022 business hearing, “This bill (Securing Open Source Software Act of 2022) comes out of our hearing we had on this topic and months of discussion … it ensures that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect America’s most sensitive data.”

The bill adds to the cross-government push to secure supply chain and improve transparency of software products. In September 2022, the Office of Management and Budget (OMB) issued a memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, which calls for agencies to use software built with common cybersecurity practices.

The memo also set new deadlines for federal agencies to inventory software, develop communication processes and provide training for personnel, adding to the push for greater transparency across software development and move away from the traditionally siloed development approach.

“Open source software has crowd-sourced software development, which is in contrast to closed-source single-team, single-product deployments,” Thompson noted. “The diversity of thought that can be applied to a problem set by inviting a multitude of people to collaborate on a product enhances the final product.”

While there is more transparency within development, that doesn’t mean there is more inherent security. A common misconception is that open source is more secure than closed source; however, this is not the case, Thompson said.

“DDS often quotes, ‘Open-source software is inherently more securable than closed source software.’ This does not mean that open-source software is automatically more secure, but we have the ability to see the software supply chain and are able to take advantage of that,” Thompson said.

One way government could bake in security as it transitions to open source is leverage DevSecOps practices. DevSecOps integrates application and infrastructure security seamlessly into Agile and DevOps processes and tools to address security issues as they emerge — when they’re easier, faster and less expensive to fix — often using automation.

DevSecOps makes application and infrastructure security a shared responsibility of development, security and IT operations teams, rather than the sole responsibility of a security silo. By automating the delivery of secure software, agencies aren’t slowing the software development cycle.

In November, the National Cybersecurity Center of Excellence announced a new project uniting software supply chain and DevOps security practices. The project will apply DevSecOps practices in multiple proof-of-concept scenarios that involve different technologies, programming languages and industry sectors. The center will use closed source and open-source technology to demonstrate these use cases.

“The intention is to demonstrate DevSecOps practices, especially using automation, that would apply to organizations of all sizes and from all sectors, and to development for information technology, operational technology, ‘internet of things’ and other technology types,” the project description states.

The project will produce actionable guidelines to help organizations integrate security practices into development methodologies. Organizations could then apply these guidelines when choosing and implementing DevSecOps practices to improve the security of the software they develop and operate.

“DDS values the open-source software community — it’s a cultural tenet of DDS. We open source many of our products and our employees also contribute to open-source projects. We want to bring as many secure coders to the process to leverage the advantages of diversity of thought,” Thompson said.