The White House recently issued a request for information (RFI) that seeks public and private sector input as federal leadership develops its strategy and action plan to strengthen the open-source software ecosystem.
The RFI builds on the administration’s strategy “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
The White House is seeking responses by 5:00 p.m. EDT on October 9, 2023, according to this briefing.
“All the areas touched upon are relevant, and advances in any of them will improve the security posture of open source projects and communities, and also the posture of their downstream users,” Henrik Plate, CISSP, security researcher at Endor Labs said. “What is particularly noteworthy is that the RFI also seeks input on socio-economic topics, which are as (if not more) important than technical areas for open source security and software security in general.”
Examples of these include compensation frameworks or software liability as mechanisms to incentivize secure software development practices, or to ensure maintenance plans and government structures for critical open-source projects.
International collaboration and alignment are essential in recognizing that open-source communities transcend political boundaries. However, challenges can arise in situations like the Ukraine conflict, where contributors from opposing political groups are involved, or when open source projects are utilized to convey political messages (referred to as protestware), Plate explained.
“Open source is unstoppable: It already dominates larger portions of software and cloud stacks, and has the potential to also conquer AI stacks. AI developer frameworks like PyTorch or TensorFlow are already open source, and recent successes of Llama2 and other open source models seem to indicate that the same could happen for models,” Plate added.
According to Endor Labs CEO and co-founder Varun Badhwar, the biggest open source risks facing organizations and government agencies today lie in transitive or indirect dependencies with the average company using over 40,000 open source dependencies, or software packages, and each of those can bring in on average 77 other indirect dependencies.
Endor Labs research found that 95% of vulnerabilities live in these transitive dependencies, but that most companies don’t have visibility into how they’re being used.
“One of the main culprits behind this struggle is the sheer volume of OSS used within applications, and severe inefficiency in OSS vulnerability remediation. Somewhere around 90% of code in modern applications is OSS, yet most organizations only use 12% of the OSS they import. This makes open source, while crucial, the noisiest part of application security. Developers waste a lot of time hunting down vulnerabilities in code that’s never actually used and don’t have efficient tooling to prioritize the most critical risks that are actually reachable in their applications,” Badhwar said. “But new innovations are helping, such as code and pipeline governance, to tell developers what needs attention now, what can wait until tomorrow, and which vulnerabilities don’t need to be addressed at all, helping eliminate 80% of false positive vulnerability alerts and improve OSS security for all.”