NSPE Advocates for Open-Source Software Security

Fall 2023

NSPE Now: Policy Perspectives
NSPE Advocates for Open-Source Software Security

BY PHILIP GILES

The White House Office of the National Cyber Director recently initiated a Request for Information (RFI) as part of the Open-Source Software Security Initiative (OS3I). The OS3I is an interagency working group with the goal of identifying policy solutions and channeling government resources to foster greater open-source software security across the ecosystem. NSPE is actively engaged in this process and provided input for the initiative in November.

The Power of Logging

Logging plays a crucial role in software development, operations, and security by capturing essential information. One widely adopted tool for effective logging is Log4j, a key component in modern software development. Its global prevalence is evident as it is extensively utilized across various software applications and online services, showcasing its significance in ensuring smooth and secure functionality.

Identifying a Critical Security Risk

In December 2021, a critical vulnerability was discovered in Log4j, putting millions of systems at risk of unauthorized access, data theft, and network infections. Rated at the maximum severity score of 10 on a standardized system, the Log4j security issue is regarded as one of the most serious. What adds to the concern is the relative ease with which attackers can exploit Log4j’s vulnerabilities, making it one of the most significant security threats in recent years.

White House Action

Log4j Aftermath: OS3I’s Drive to Enhance Software Security

In the months following the breakout, a concerning 40% of Log4j downloads remained vulnerable (according to Sonatype data), emphasizing the urgent need to prioritize open-source software security. Responding to the vulnerability, the White House Office of the National Cyber Director and the Office of Management and Budget’s Office of the Federal Chief Information Officer established the Open-Source Software Initiative, an intergency working group dedicated to strengthening the security of opensource software.

The Key Players

OS3I actively engages various interagency partners, including the Cybersecurity Infrastructure Security Agency (CISA); the National Science Foundation (NSF); the Defense Advanced Research Projects Agency (DARPA); the National Institute of Standard and Technology (NIST); the Centers for Medicare & Medicaid Services (CMS); and the Lawrence Livermore National Laboratory (LLNL).

Together, these partnerships contribute to the collaborative strength of OS3I. This joint effort plays a pivotal role in identifying crucial priorities for enhancing security and translating policy solutions into action.

Empowering National Security and Innovation: OS3I’s Advocacy for Open-Source Software Resilience

The Biden Administration acknowledges the critical importance of opensource software security, spanning national security, economic stability, and technological innovation. Given its vital role in federal operations and critical infrastructure, OS3I was established to champion the adoption of memory-safe programming languages and elevate the security of open-source software.

Engaging Stakeholders: OS3I’s Request for Information on Open-Source Security

In August 2023, as part of OS3I’s continuous outreach to a diverse range of stakeholders, the White House Office of the National Cyber Director launched an RFI to gather insights from the public and private sectors. The primary goal was to seek perspectives on crucial matters related to open-source security, with stakeholders encouraged to identify key focus areas and address critical questions, including:

  • How should the federal government contribute to driving down the most important systemic risks in open-source software?
  • How can the federal government help foster the long-term sustainability of open-source software communities?
  • How should open-source software security solutions be implemented from a technical and resourcing perspective?

NSPE’s Response and Looking Ahead

In the early stages of the process, and with a strong emphasis on the critical questions mentioned above, NSPE actively engaged in the RFI, recognizing the significance of contributing to the ongoing focus on open-source software security. In its response, NSPE emphasized its commitment to values aligning with the enhancement of opensource software security—fundamental to fortifying the well-being, safety, and accessibility of essential services for the general public. Offering a distinctive viewpoint, NSPE’s response outlined innovative solutions, including a systems-wide approach and federal sponsorship for a global framework, emphasizing collaboration and accountability for security and traceability.

Looking ahead, NSPE is committed to advocating for open-source software security, prioritizing the safety and reliability of essential public services. This involves collaborating with stakeholders, industry professionals, and government bodies to shape effective strategies. NSPE remains dedicated to fostering innovation, accountability, and best practices, ensuring the professional engineering community plays a pivotal role in safeguarding critical services. Through ongoing dialogue and proactive initiatives, NSPE aims to contribute significantly to the development and implementation of robust solutions in the realm of open-source software security.

PHILIP GILES IS NSPE’S SENIOR MANAGER, GOVERNMENT RELATIONS AND ADVOCACY.

More Policy Perspectives Articles

Championing a Future-Ready Workforce (May, 2024)
NSPE Advocates for Open-Source Software Security (September, 2023)
Why Professional Licensure Matters (October, 2023)
Advocacy In Action For The PE Community (July, 2023)
Sustainability and the PE’s Obligations (February, 2023)