Open Sustainability Policy Summit Recap and Video: Best Practices for Using Open Source Software Safely and Securely from CISA
1. Understanding the Value and Role of OSS
Open source software is not just a commodity but a public good that drives productivity across various sectors. Given its widespread use and significant impact on the economy, ensuring its safety and security is an inherently governmental function. With around 50 million OSS projects on platforms like GitHub and contributing approximately $8 trillion to the economy, it is imperative to address the security and integrity of these software resources.
2. Government Involvement and Collaboration
CISA, as the national cyber defense agency, plays a critical role in coordinating efforts to secure OSS. This involves partnering with other federal agencies, key players in the OSS community, and thought leaders to establish open source program offices (OSPOs) within federal agencies. These offices aim to manage the use, development, and security of OSS, fostering a collaborative environment between the public and private sectors.
3. Establishing Guardrails Without Over-Regulation
A common concern is that federal involvement might lead to excessive control and regulation of OSS. Livingston emphasized that CISA’s approach is to set clear boundaries and guardrails while allowing the OSS community to maintain its creative freedom and innovation. The goal is not to impose a heavy-handed regulatory framework but to support and enhance the security practices already in place within the community.
4. Promoting Secure Practices and Frameworks
To address security concerns, CISA collaborates with organizations like the OpenSSF (Open Source Security Foundation) to develop and promote security principles for package repositories. Additionally, CISA is working on a “4P” framework to assess the trustworthiness of various OSS components, focusing on Project, Product, Protection, and Policy. This framework aims to provide automated metrics and indicators for evaluating the security of OSS packages.
5. Enhancing Visibility and Incident Response
One of the challenges in securing OSS is the lack of visibility into its use and potential vulnerabilities. CISA advocates for better tools and practices to identify and address issues proactively. This includes real-time information sharing through initiatives like the Joint Cyber Defense Collaborative (JCDC) and improved software composition analysis to understand the dependencies and risks associated with OSS.
