Senate Committee Passes Securing Open Source Software Act
Cybersecurity is a hot topic in Washington, D.C., right now. The Biden administration has released a number of executive orders around national cybersecurity edicts, and now the Senate has proposed a rare bipartisan bill designed to secure open source software.
According to a press release from the Department of Homeland Security, this bill, known as the Securing Open Source Software Act, would include a risk framework around open source code. Cybersecurity and Infrastructure Security Agency (CISA) would take the leading role in developing this framework, which would be used across the federal government and organizations and companies operating critical infrastructure would be encouraged to use it, as well.
The Log4j incident was the impetus behind the legislation. Its impact on both federal computer networks and the risks to critical infrastructure made the bill’s sponsors recognize just how serious the threats around insecure open source code could be.
“This important legislation will, for the first time ever, codify open source software as public infrastructure,” Trey Herr, director, cyber statecraft initiative, Scowcroft Center for Strategy and Security, the Atlantic council, said in a formal statement.
The bill was actually first introduced in late 2022, but it went nowhere. It was reintroduced again in early 2023. While it is a positive move forward to address cybersecurity in open source software, there are some who are skeptical of the bill, saying it doesn’t go far enough to provide real protection.
Why and Where the Bill Is Lacking
“This bill is a good step in the right direction, but like many other bills and government reports, this is incredibly lacking in any detail regarding how to actually implement the recommendations, and there are zero details on how this would be enforced,” said Varun Badhwar, CEO and co-founder of Endor Labs, in an email statement.
According to Badhwar, the bill currently lacks detail—little guidance on what benchmarks should be used, who or how the regulations will be enforced, an outline on the goals that would enhance the bill’s effectiveness or the role CISA will play to ensure the proposed audits of all open source components used by government agencies.
“This bill describes the exact problem much of the industry is facing–developers have relied on open source for over a decade to help them be more productive,” said Badhwar. “We’re now at a point where open source is a part of our critical infrastructure and it’s not going anywhere–it’s ingrained and intertwined with everything we do. So we have to figure out how to use open source securely and at scale.”
Why the Bill is Necessary
The bill met its first hurdle and passed out of committee on a vote of 11-1. But anyone who follows congress knows that the language in the bill will change as the full Senate discusses it and will again be revised when it moves along to the House. There is plenty of time for the issues that Badhwar presented to be introduced and adopted.
The concerns are valid. While open source is the “foundation of the modern internet,” as one blog post stated, it comes with plenty of risks. Because open source code is shared and makes up 90% of all code used in web and cloud applications, it is easy for undetected vulnerabilities to slip through. Threat actors know this, and by targeting these flaws, they have a wider landscape to attack.
Why aren’t these flaws found before the code goes live? Security continues to be an afterthought in software development, so if vulnerabilities aren’t caught and fixed within the open source environment, they are unlikely to be discovered during development.
Adding regulations to open source code, in addition to other initiatives brought forth by the Biden administration, including things like security-by-design and higher cybersecurity standards, should make all software and applications more secure. While this particular bill is focused on federal government and critical infrastructure, eventually, there is a trickle-down effect that will bring new levels of security to all open source, and that will benefit everyone.
