By David A. Wheeler, Linux Foundation
Open source software (OSS) is widely used. A 2022 survey by Synopsys found 78% of the code in codebases was OSS, and 81% of the codebases contained at least one known vulnerability in the OSS it used. If there is only one thing we learned from the Log4Shell vulnerability in Log4j, it’s that critical OSS vulnerabilities can cause serious problems. In recognition of the role OSS plays as critical infrastructure, OpenSSF sponsored the Critical Infrastructure Security Summit in Washington, DC in September 2022. Organized by the Defense Strategies Institute, the Summit focused on ensuring the resiliency of US infrastructure against cyber attacks, threats, and intrusions. Securing critical OSS components and infrastructure is an important part of securing critical infrastructure.
Critical Infrastructure Security Summit
Topics covered at the summit included both traditional and non-traditional infrastructure – from protecting oil & natural gas industry systems to prioritizing cyber defense by modernizing. In the talk I gave during the Critical Infrastructure Security Summit, I described how OSS in mass is critical infrastructure and should be treated as such. Software, open or closed, impacts all critical infrastructure sectors including the sixteen identified by CISA as the assets, systems, and networks, that are considered so vital that disruptions would have a debilitating effect on national security, economic, or health and safety including:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
Unfortunately, all software is under attack via vulnerabilities and the supply chain.
Open Source is Critical Infrastructure
Open source is a critical part of the software supply chain, and governments around the world acknowledge the importance of OSS. In the United States, Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, released May 12, 2021 and the White House Meeting on Software Security (post Log4Shell) in early 2022 demonstrated an increased interest in finding solutions to the most pressing challenges in securing OSS. After this meeting, we followed up with a second Open Source Software Security Summit gathering industry and government leaders to reach a consensus on key actions to take to improve the resiliency and security of open source software which resulted in the release of the Open Source Security Mobilization Plan that maps out a comprehensive portfolio of ten courses of action to harden the software supply chain. Most recently, we saw the US government discuss additional steps to address cybersecurity challenges in the software supply chain with the Securing Open Source Software Act that was introduced on September 21, 2022.
When we consider open source critical infrastructure we must keep in mind that not all OSS is equally important, but some OSS (& its supporting infrastructure) are very critical. Several initiatives are underway at the OpenSSF to identify and fill gaps in security practices of the most critical open source software. For example:
- The OpenSSF Securing Critical Projects WG is identifying the most critical OSS
- The OpenSSF Alpha-Omega Project is partnering with some of the most critical OSS projects to improve security, and in addition, it’s working to identify and report vulnerabilities in the top 10,000 OSS projects
- The OpenSSF provides free educational resources like the fundamentals course Developing Secure Software and the course Securing Your Software Supply Chain with Sigstore
- The OpenSSF Best Practices Working Group recently released two new concise guides for developing more secure software and evaluating open source software
- OpenSSF Scorecards, OpenSSF Best Practices Badge, and SLSA provide mechanisms to evaluate OSS
My remarks at the Critical Infrastructure Security Summit, September 28-29, 2022 in Washington, DC concluded with a call for anyone interested in improving OSS security, including its supply chain security, to please get involved! The more open source becomes a normal part of the conversation about making critical infrastructure resilient to threats, the more we can work together through public-private partnerships that deliver effective solutions and protect our way of life.