Understanding Prevalence is the First Step

Earlier this month, the White House announced an $11 million investment in what it calls the “Open-Source Software Prevalence Initiative.” This initiative acknowledges that “open-source underlies our digital infrastructure,” as National Cyber Director Harry Coker said in his opening remarks at DEF CON. It’s a continuation of efforts the U.S. federal government has taken to understand and shore up the open source software that modern life depends on. We at Kusari are glad to see the federal government’s continued involvement in open source, not just as a producer and consumer of software, but as an engine for building awareness throughout the technology industry.

‍

The pithily-titled “Summary of the 2023 Request for Information on Open-Source Software Security” lists 12 ongoing or expected activities of the federal government. These activities span a wide variety of areas. For example, it includes technical work researching the conversion of code written in C into the memory-safe Rust language. It also includes governance work like creating an open source program office to coordinate open source efforts within the Center for Medicaid and Medicare Services. Of course, it also includes work that the Cybersecurity & Infrastructure Security Agency (CISA) is doing, like spearheading the Secure By Design pledge and working with OpenSSF’s Securing Software Repositories Working Group to improve the security of public software repositories through voluntary security maturity levels.

‍

These projects are great. Software supply chains are complex and securing them requires taking many approaches together. Open source software adds even more complexity, since the software is often maintained by unpaid volunteers who sometimes work under pseudonymous identities. Open source software brings tremendous value to the modern computing world, but it also adds challenges.

‍

You can’t fix the problems you don’t know about and right now the water is very murky. Most organizations don’t have a clear understanding of what dependencies exist in their software supply chains. They don’t know where vulnerable packages are being pulled in, as the alarming number of applications still vulnerable to Log4Shell can attest. They don’t know which of their open source dependencies are under-resourced and at risk of falling apart. The $11 million that the White House has pledged is an investment in understanding what the problems are.

‍

Seeing the landscape is the first step to making changes. It’s why we continue to develop tools like GUAC — so that developers and security engineers can understand the complex relationships in their software supply chains.

‍

Kusari is committed to open source. We believe that open standards and collaboratively-developed tooling are necessary to achieving the goal of secure supply chains for everyone. Just like Executive Order 10460 helped build broader momentum for creating and consuming software bills of materials, the Open-Source Software Prevalence Initiative will help spur a greater understanding of the role open source plays in both public and private sector computing.