White House, federal cyber leaders pledge renewed support for open source security

Dive Brief:

  • Top cybersecurity officials from the Biden administration pledged additional support to the open source software community and private sector security executives during the Secure Open Source Software Summit in Washington D.C. Tuesday.
  • The Cybersecurity and Infrastructure Security Agency released a roadmap for open source software security, which is designed to establish the agency’s role in creating a more secure ecosystem and reducing the security risk for federal agencies, which depend heavily on open source in their applications.
  • The federal government’s various Sector Risk Management Agencies offered support to the Open Source Security Foundation, as part of a larger effort to reduce security risks among key critical infrastructure sectors. 

Dive Insight:

The summit, scheduled to end Wednesday, marks the latest in an ongoing effort by the open source community to work with federal officials and private industry to help reduce the considerable security risks inherent in working with open source software. 

Open source is widely used in almost all modern applications and played a key role during the Apache Log4j vulnerability crisis, which exposed millions of applications to potential attacks from unauthenticated hackers. 

Following the Biden administration’s 2021 Executive Order to bolster cybersecurity, stakeholders have set out to strengthen the open source ecosystem to avoid catastrophic risk.

The White House held a summit in January 2022, which included a call for increased investment by tech industry giants to help support the open source community.

“Open source software is part of the foundation of the software that underpins every critical infrastructure sector,” CISA Director Jen Easterly, said in a statement. “At CISA, we are set on working hand in hand with the open source community to ensure that we can continue to reap the benefits of open source software in a secure manner.”

OpenSSF officials said the organization is taking specific measures to help bolster security, including the advancement of software bills of material, educate software developers on security and push for increased vulnerability disclosure.