Following the roadmap to open-source software security

Joel Krooswyk
·5 min read

There’s no question that open-source software is central to the development and innovation required to meet federal missions – making its security of the utmost importance.

OSS supports every critical infrastructure sector within the federal government. The federal government recognizes this and is prioritizing OSS security with measures such as the Office of the National Cyber Director’s recent OS3I Initiative and subsequent request for public information and the Cybersecurity and Infrastructure Security Agency’s Open-Source Software Security Roadmap. These initiatives will help agencies to better understand, manage and reduce the risks of open-source software that our nation’s critical infrastructure is built on.

It’s up to oversight bodies such as CISA, government leaders and industry partners to set baseline expectations for OSS use and ensure top-level security to protect agencies’ critical data — which could be at stake if agencies fail to have clear standards in place.

To reduce vulnerabilities at scale, government leaders need to prioritize security and foster open-source software development best practices. This can be broken down into three top considerations to enhance security:

— Utilize supported enterprise OSS;

— Implement secure-by-design practices in the development phase; and

— Leverage artificial intelligence.

Supported enterprise OSS offers more security

Contrary to common belief, not all OSS is created equal. Federal agencies handling sensitive data should utilize supported enterprise open-source software where possible. Agencies using free versions of enterprise OSS at scale don’t receive the level of support required to ensure data remains secure. Even if they are feature-rich, free tooling projects don’t offer auditable, attestable security at scale.

Supported enterprise OSS provides an increased level of security and regulation with additional accountability for the provided code. It does this through quality checkpoints, automated testing, and enforceable DevSecOps pipelines to consistently validate contributions to the software. It also does a better job of managing risk and provides enhanced capabilities for visibility, transparency, reporting and auditability.

Additionally, hardening guides and best practices should be created and published for enterprise versions of OSS to reduce risk. Peer code review is a common practice in OSS community development. For better transparency and security, the platform hosting the OSS should have visibility into peer reviews and contribution approver history.

Public-private partnerships are essential to increasing accountability and transparency in the software development process. The government can look to industry partners for support in best practices for secure open-source software.

Keeping OSS secure by design

In addition to the OSS Security Roadmap, CISA also recently put out new guidance on secure-by-design practices for software providers as a critical approach to ensure the security of OSS. Secure-by-design products have security baked in at the start of the software lifecycle—not as an afterthought or at the end of the development process.

CISA’s guidance, as well as guidelines set by standards like NIST’s Secure Software Development Framework (SSDF), reinforce critical considerations for keeping software secure by design, which must carry over into open-source environments. In the case of OSS security specifically, the SSDF acts as a guide to confirm secure-by-design principles and leads to an initial level of trust for OSS adoption. In accordance with secure-by-design principles, developers and federal leaders utilizing software should consider tools that automatically scan for vulnerabilities and have strong environmental visibility.

Another tool government leaders should consider to ensure all software is secure by design is a Software Bill of Materials or an inventory of components that make up software. SBOMs also include critical information about the libraries, tools, and processes used to develop, build, and deploy a software artifact. Keeping a record of what tool was used to generate the SBOM and an accompanying digital attestation can certify that the artifact hasn’t been modified.

Prioritizing security within the development phase and with a supported platform of choice is critical to building and maintaining trust. Attestation and trustworthiness are also easier to attain with a singular DevSecOps platform that is used for build, test, and secure functionality.

Applying AI to enhance OSS

The federal government is expanding its capabilities with the use of artificial intelligence, which is another tool agencies should consider for their OSS security journey. AI has the capacity to automate menial tasks and will take some of the burden off of developers, leaving them with more time to focus on security. Organizations should also look beyond just using AI for code development and incorporate it throughout the software development lifecycle in capacities such as explaining code to non-technical users and providing security support.

When integrated through each stage of the software development lifecycle, AI can help proactively prevent or reduce the requirements for approvals in the development process. It can also be applied to new code and automated test creation, automated selection of reviewers, and assisted remediation of identified vulnerabilities.

Government agencies considering AI should pay attention to the models and platforms used, vendor transparency, and coding best practices. Human verification of code should continue to be an ongoing requirement with the supplement of automated security scanning.

OSS is foundational to software development, spurring innovation and enabling the government to develop critical programs more rapidly, providing a base for critical infrastructure. It is paramount to follow best practices for OSS security to reduce risk and better protect government assets.

This undertaking doesn’t have to be done alone – federal leaders should look to incentivize intentional partnerships between government and industry to encourage collaboration and accountability. Working together to secure OSS is crucial to national security. Utilizing these considerations can bolster OSS security and, in turn, empower the government to innovate for mission-critical operations.

Joel Krooswyk is the Federal CTO at GitLab, a developer of secure software products and services.