Strengthening open source: A roadmap to enhanced cybersecurity

In a pivotal move to enhance cybersecurity earlier this year, the White House Office of the National Cyber Director, in partnership with the Open-Source Software Security Initiative, unveiled an RFI summary report outlining strategic priorities for open-source software security. This initiative, rooted in the National Cybersecurity Strategy, aims to fortify the open-source software ecosystem by addressing critical vulnerabilities and promoting secure development practices.

The report underscores the importance of secure software development, including using memory-safe languages and robust software development techniques, frameworks and testing tools. Additionally, the Open-Source Software Prevalence Initiative seeks to better understand the distribution and use of open-source components in critical infrastructure. By analyzing this data, the federal government and the open-source community can take targeted actions to mitigate risks and strengthen the overall security posture.

The RFI summary report further consolidates valuable insights from the open-source community, outlining 12 key activities planned for 2024-2025. These activities prioritize strengthening the software supply chain, promoting the use of Software Bills of Materials, and enhancing the security of legacy software components. By focusing on these areas, the federal government and OSSPI can work collaboratively to ensure open-source software's long-term security and reliability.

Improving the software supply chain

The OS3I report highlights the critical role of the Department of Homeland Security’s Science and Technology Directorate and the Cybersecurity and Infrastructure Security Agency in bolstering software supply chain security. By funding and guiding the development of software supply chain visibility tools, these agencies empower developers and system administrators to identify and mitigate vulnerabilities.

Open-source developers are committed to securing the software supply chain through collaborative efforts to address vulnerabilities. However, federal agencies must adopt platforms that provide comprehensive visibility into potential software vulnerabilities to meet government standards. A recent survey by GitLab found that 19% of U.S. public sector respondents use 11+ tools for development – an inefficiency that increases risk by introducing potential vulnerabilities. By fostering transparency and accountability, platforms can mitigate risks and improve the overall security posture of open-source software.

Supported enterprise OSS provides increased security and regulatory compliance through quality checkpoints, automated testing, and enforced DevSecOps pipelines to consistently validate contributions to the software while providing users the platform support they need.

Hardening guides and best practices should also be developed and published to reduce risk for enterprise versions of open-source software. Peer code review is a standard practice in OSS community development. To enhance transparency and security, the platform hosting the OSS should have visibility into peer reviews, signed commit histories, and contribution approver history.

Enhancing software security with SBOMs

SBOMs offer more than a simple list of components: they provide valuable insights into an application’s makeup, enabling organizations to identify vulnerabilities, track version history and strengthen a network’s defenses. They can also reduce unplanned and unscheduled work, automatically monitor for vulnerabilities and ensure software meets security standards before release.

The report emphasized the importance of SBOM standardization and maturity, highlighting CISA’s ongoing efforts to collaborate with stakeholders and bridge gaps in SBOM implementation. To maximize the benefits of SBOMs, agencies should adopt tools that seamlessly integrate with vulnerability databases and enable automated SBOM generation during the build process.

Furthermore, the RFI summary report advocates for including SBOMs in open-source repositories to foster a more secure and transparent software ecosystem by providing open-source projects with the necessary tools and resources. It’s crucial to recognize the dynamic nature of SBOMs and implement continuous monitoring solutions to keep pace with evolving threats and vulnerabilities.

Leveraging AI for memory-safe software

The ONCD OS3I report highlights the critical role of memory-safe programming languages in bolstering software security. By minimizing vulnerabilities arising from memory-related errors, these languages can significantly enhance the resilience of software applications. While transitioning legacy codebases to memory-safe languages presents challenges, AI and automation offer promising solutions to expedite this process.

AI-driven refactoring tools can analyze and transform legacy code, identifying opportunities for improvement and automatically generating code in memory-safe languages. By automating routine tasks, AI can significantly reduce the time and effort required for code modernization. Additionally, AI-powered code generation can assist developers in writing secure and efficient code, accelerating the development process.

The report also explores the potential of using large language models to translate code from one language to another. However, it emphasizes the importance of human oversight in validating and verifying the accuracy of AI-generated code.

Those looking for a place to start with modernizing legacy code can begin by referencing CISA's Memory Safe Roadmap. Refactoring code can be part of a larger modernization initiative, such as moving a legacy application to the cloud. As Google Chromium demonstrates, adopting memory-safe languages like Rust can lead to significant benefits, including improved security, performance and scalability.

Organizations can achieve many benefits by adopting memory-safe languages and leveraging AI-powered tools. These include improved security, enhanced performance, reduced maintenance costs and increased developer productivity. As we move towards a future where software is increasingly interconnected and critical to our daily lives, adopting these technologies is essential to safeguarding our digital infrastructure.

Collaborating on a secure future

Open-source software is a cornerstone of American innovation, underpinning critical infrastructure and driving economic growth. The government must remain committed to collaborating with the open-source community to safeguard this vital resource. We can build a more secure and resilient digital future by investing in SBOM initiatives, embracing AI and automation and strengthening the software supply chain. Together, we can mitigate risks, foster innovation and ensure a prosperous and connected American future.