After Log4J US lawmakers rush to secure open source software

After Log4J US lawmakers rush to secure open source software

Image:
After Log4J US lawmakers rush to secure open source software

The bipartisan Securing Open Source Software Act is a positive development for open source software everywhere

In a rare show of bipartisan unity, legislation to improve the security of open source software used in government was recently approved by the US Senate Homeland Security Committee.

The Securing Open Source Software Act 2022, promoted by Republican senator Rob Portman and Democrat Gary Peters, was prompted by the discovery in December last year of a serious vulnerability in Log4J, a utility present in hundreds of thousands of Java applications and on an estimated 3 billion devices. Because it is so widespread, this vulnerability will have repercussions on cyber security for many years to come - a huge problem now that much infrastructure is now effectively software, and much of that software is open source - including many components used in proprietary software.

The draft Securing Open Source Software Act requires the US Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate open source code, and to hire open source developers to proactively seek out and patch security issues, among other provisions.

What's in the Securing Open Source Software Act?

The draft act directs CISA to make the best use of existing frameworks and methodologies deployed by the public and private sectors in order to develop a risk framework to evaluate how open source software is used by the US government and what risks it poses in the context in which it's used. Companies that do business with the government will also have to comply.

It requires CISA to investigate and remediate vulnerabilities in open source code, which will require hiring expertise, and recommends that some agencies create open source program offices (OSPOs) to manage their use of open source software and assess its risks on an ongoing basis, and it calls for the creation of a committee within CISA to issue guidance on the secure use of open source code.

See also: Is it time to set up an Open Source Program Office?

The draft act, which will need to be passed by the Senate, follows on from President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity, which came about after the SolarWinds hacks, and covers similar ground to that EO.

Why is it needed?

Log4J is the latest in a line of vulnerabilities to afflict open source, including the Apache Struts glitch that led to the Experian data leak, OpenSSL and Heartbleed. Proprietary software is not off the hook, of course, witness SolarWinds, Microsoft Exchange, Kaseya and others, but use of open source software has grown dramatically over the past decade, and management of open source software requires a different methodology: procurers many not be clear responsibility for security lies, particularly when it is combined with paid-for services and add-ons.

"This software needs curation to be secure and the responsibility for that curation lies firmly with the user, in this case our public sectors across the globe," said Amanda Brock, CEO of not-for-profit group OpenUK, who welcomed the new bill.

However, while the draft act goes some way in providing a mechanism for how CISA might co-ordinate this curation, it is light on the detail, particularly around third-party services.

"What we need is clarity around paid services and enhancements, as opposed to the underlying Open Source projects that are distributed royalty free and without liability," Brock said.

"Where there is payment associated with open source software, that is not for the software itself, and understanding that is key. Lability for these - as with any paid for services - rests with the provider, but these are part of the act of curation that all end users need to ensure."

Building skills

The emphasis on building skills was welcomed by Paul Baird, UK chief technical security officer at security vendor Qualys. Open source is no more or less intrinsically secure than any other software, indeed it is often stated that there are more eyes on open source code thus improving the chances of spotting flaws, but "this depends on there being a community of people with the right skills and the interest in finding those problems," Baird commented.

Assuming the act becomes legislation, CISA's formalisation of bug hunting and remediation by hiring specialist teams and setting up institutions is likely to help fill this gap, and the dissemination of security information and guidance from one of the world's largest players would be a positive development.

"For us in the UK, this ruling might seem to be an esoteric point of US law. But it should put an official organisation in place that provides guidance on open source software and potential risks, which will be a useful source of risk information over time," said Baird.

Continuous code checking

The bill proposes that open source code used by government be checked by CISA once initially, then after a year a continuous scanning process should be in place.

"The ‘continuous' factor here is incredibly important as software, particularly open source software, is constantly evolving," said Michel Isbitski, director of cybersecurity strategy at cloud security firm Sysdig.

"A snapshot in time will differ greatly from reality, particularly after a year. The bill also supports a potential future expansion to cover other critical infrastructure outside just the government."

What's next?

The draft act has yet to pass into law, and with mid-term elections on the horizon there's a risk that it may be delayed or abandoned altogether, despite its bipartisan backing. However, Isbitski felt the big cloud companies might implement many of these security features, independently.

"I strongly suspect the cloud provider industry will actually solve this meaningfully sooner than the government will. They have to because of the amount of open source software they use in their offerings. They also have the benefit of scale on their side."

Open source software is ubiquitous and ever more important, and it requires a different set of management priorities, not all of which are well understood. Formalising security analyses and bolstering checking should improve security and trust overall.

Some question if the focus on open source might take the pressure off commercial software to improve their products, and the draft act is light on detail about how code security will be assessed. But all in all, as far as a scan of commentary on the web can reveal, the cyber security and open source communities are positive about the bill.

"Ultimately, while this bill is aimed at US federal software projects, it should help with the long-term sustainability of open source projects and improving confidence in the quality of open source code for everyone," said Isbitski.