Legislation Aims to Address Open Source Software Risks
Federal legislation seeking to address open source software risks in government has been introduced by U.S. Sens. Gary Peters, D-Michigan, and Rob Portman, R-Ohio.
The legislation comes after a hearing convened by Peters and Portman on the Log4j vulnerability earlier this year. The bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure and others.
Tim Mackey is principal security strategist at Synopsys Cybersecurity Research Center.
“Managing open source software is fundamentally different from managing commercial software – whether that software is off the shelf or created based on a contract,” he said. “Properly securing open source software requires an understanding of this and other realities for how open source enters organizations like the U.S. government. The Open Source Software Act of 2022 recommends many activities that are traditionally the responsibility of an open source program office (OSPO). For example, it is the responsibility of an OSPO to determine what open source risks are acceptable for an application and the context in which it’s deployed.”
While there is much to like in the bill, the fact that there’s no mention of how open source software was tested is concerning, Mackey said.
“There are many software development practices that can create weaknesses in software, and some are programing language dependent,” he said. “The capabilities of the various testing tools, both commercial and open source, also vary considerably. How well software is tested and what the security targets used during testing are as important in open source as in commercial software.”
