By Dana Wang and David A. Wheeler
As the Open Source Security Foundation (OpenSSF), our core mission is to safeguard the open source software (OSS) ecosystem and make it more secure. In 2023, we embraced a significant opportunity to further this mission by working with the US government, including its Open-Source Software Security Initiative (OS3I).
On January 2024, the US federal government’s Office of the National Cyber Director (ONCD) released the end-of-year report Securing the Open-Source Software Ecosystem and related fact sheet. The report summarizes the work of its OS3I. This blog outlines our key contributions to the four strategic areas of the OS3I, highlights our role in strengthening the security and resilience of OSS, and briefly notes how this fits into the broader global context.
OpenSSF Key Contributions to OS3I’s Four Strategic Areas
1. Unifying the Federal Government’s Voice on OSS Security
A unified approach to OSS security is vital for its efficacy and implementation. At OpenSSF, we have worked with the US federal government as they developed their unified strategy for improving OSS security. We have engaged in active dialogues, provided expert insights, and worked to find areas where we can collaborate to make everyone’s lives better. For example, on September 12-13, 2023 the OpenSSF hosted the Secure Open Source Software (SOSS) Summit 2023 in Washington, DC to address the security challenges for the consumption of Open Source Software (OSS) in critical infrastructure sectors and beyond. Participation in the Summit included industry leaders and US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others. During the SOSS Summit, the OpenSSF released a Vision Brief detailing our community’s work over the past year to secure OSS and plan for the future. As another example, the OpenSSF submitted a response to the Request For Information (RFI) on open source software (OSS) security and memory safe programming languages from the US White House Office of the National Cyber Director (ONCD) and its partners in the Open-Source Software Security Initiative (OS3I).
2. Strategic Approach for Secure OSS Usage
CISA’s OSS Security Roadmap identifies four priorities of the US government:
(1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem. The OpenSSF has taken many steps to aid in meeting these goals. We have taken steps that support these goals such as educating stakeholders (e.g., on current challenges), contributing to the development of security tools, and sharing best practices for OSS implementation. Our expertise aids federal departments in understanding and navigating the complexities of OSS security, ensuring a secure and effective deployment of open-source technologies. OpenSSF published a blog in September 2023 highlighting how OpenSSF is uniquely positioned to assist with several areas within the CISA’s Open-Source Software Security Roadmap.
3. Sustained Security Investment in OSS Ecosystem
We have championed the cause of sustained investment in the OSS ecosystem. We believe that consistent investment and innovation are crucial for the ongoing improvement and sustainability of the OSS ecosystem. OpenSSF has been heavily investing in Software Security Education. More than 22K software developers enrolled in our courses on the fundamentals of developing secure software and 1,000+ in our course on securing your software supply chain with Sigstore. We welcome all efforts by governments to address sustainability, including the US National Science Foundation’s Dear Colleague Letter on Inviting Proposals Related to Open-Source Software Security to the Secure and Trustworthy Cyberspace Program.
4. Engaging with the OSS Community
Engagement with the OSS community is a cornerstone of our operations. We have undertaken numerous initiatives to foster a robust dialogue between the government and the OSS community. By actively participating in community discussions, responding to information requests, and hosting events, we ensure that the community’s perspectives and insights shape the government’s strategies on OSS security. CISA brought their unique perspective to the community by participating in a 2023 panel discussion during OpenSSF Japan Day. OpenSSF is serving as advisor to the DARPA two-year AIxCC challenge on advanced research to automatically find and fix software vulnerabilities using artificial intelligence (AI).
Governments Worldwide & Software Security
Many governments, not just the US, realize the importance of software security in general and of OSS security in particular. In October 2023 many governments and government agencies co-released Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. This paper emphasized that software should be secure by design and secure by default (see this blog post for more information). The European Union (EU) Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The CRA underwent a number of changes with the aim of ensuring that OSS development is not harmed while meeting its goals. The OpenSSF has engaged with many around the world, including the US, the EU, and Japan.
In the end, while governments necessarily decide their own priorities and policies, we think it’s valuable to continue to have dialogue among all stakeholders. It’s best for the public if the OSS we all depend on is secure.
Strengthening the Security and Resilience of OSS
At OpenSSF, we are dedicated to ensuring that OSS remains a beacon of innovation, collaboration, and security. Our collaboration with governments worldwide, including the US government’s OS3I initiative, is a reflection of this commitment. By supporting governments’ work to align their strategies, promoting secure OSS practices, advocating for ongoing investment, and engaging with the community, we are paving the way for a safer and more resilient digital future. We believe public-private partnerships, in the broadest sense of that term, are the best way to succeed in challenging problems like this. Together, we can achieve a world where OSS is not only powerful and pervasive but is even more secure and trusted.