Strengthening the security of open-source software has become a significant challenge for governments, given the informal and ubiquitous nature of this community.
Yet this is a crucial component of the US government’s efforts to promote security by design across software more generally, thereby reducing vulnerability exploitation and supply chain incidents.
The RSA Conference 2024 provided an opportunity for government officials and open-source software stakeholders to discuss how to advance secure by design principles in this unique ecosystem.
Here are three key approaches highlighted to ensure security is advanced in a practical and collaborative way in open-source development.
Establish a Unified Open-Source Voice to Work with Government
There isn’t currently a good regulatory model to apply to the open-source ecosystem, according to Josh Lemos, CISO at GitLab, an open-source end-to-end software development platform. This is because open-source projects are generally run and managed by volunteers, who have no contractual obligations to address security issues when their code is used by other people and companies.
He believes governments must collaborate closely with the open-source community to work out the best course of action regarding regulation in this area, or else risk unintended consequences, such as stifling innovation.
“If there’s a collaborative approach to developing regulation, I think there is a good possibility of meaningful security outcomes, while getting the assurances we’re looking for,” said Lemos.
A good example this was in an early draft of the EU’s Cyber Resilience Act, now in the latter stages of being passed into law.
Omkhar Arasaratnam, General Manager of the Open Source Security Foundation (OpenSSF), noted that an earlier draft of the law had provisions that would severely harm the open-source ecosystem, essentially treating open-source contributors as commercial software producers, such as assigning liability to them.
These provisions have now been significantly improved in the final draft, following feedback from open-source entities like OpenSSF. Arasaratnam said it is important to learn lessons from this experience when engaging with governments and law makers globally around the issue of open-source security. In particular, organizing the community properly to gain a wide spectrum of perspectives.
“We need to draw from all sectors of our community and advocate for the minimum common set of things that will be well regarded,” Arasaratnam told Infosecurity.
Incentivizing Security by Design in Open Source
One of the key barriers to enhanced security in the development of open-source software is something that Arasaratnam describes as “economic opacity.”
This relates to the benefits of manufacturers utilizing open-source code, speeding up software development. However, they do not contribute to the security or maintenance of this publicly available service, because there are currently not the economic incentives for them to do so.
“People don’t always consider the obligation that they have, especially if they’re a manufacturer, to care for software as their own,” stated Arasaratnam.
One way of creating such an incentive would be to put legal liability in place for insecure open-source software – not on the developers themselves, but on the manufacturers who incorporate the code into their products.
In a panel discussion at the RSA Conference, Jonathan Cedarbaum, professor of practice for national security, cybersecurity, and foreign relations law at GW, advocated a similar approach to the automobile industry, where car manufacturers are held responsible for the safety of components incorporated into their vehicles from third party vendors.
This should drive better security practices down the chain. “This would place a huge incentive on the big vendors to scrutinize the parts they are buying, look for defects, correct themselves or demand corrections,” explained Cedarbaum.
Bob Lord, senior technical advisor at the US Cybersecurity and Infrastructure Security Agency (CISA), said this should include manufacturers making it clear that they are biased towards memory safe programming languages in software they consume, such as Rust.
How AI Can Boost Open-Source Security
Another key theme from the RSA Conference was the opportunities offered by AI to significantly strengthen open-source software security.
With this in mind, the US Department of Defense agency the Defense Advanced Research Projects Agency (DARPA) has launched an AI Challenge, challenging experts in AI and cybersecurity to develop AI-driven systems to automatically secure software code, including open-source.
OpenSSF and other open-source entities, alongside tech giants like Google and Microsoft are working with DARPA on this challenge, helping ensure solutions are developed that will benefit the community. The winning solution will be announced during the 2025 DEFCON Conference.
Arasaratnam is excited that this initiative will lead to many innovative solutions that will allow open-source developers to secure their code easily.
“The winning solution will be open sourced as an OpenSSF project, and we will be running it in perpetuity after,” he added.
Lemos also highlighted several ways in which generative AI tools can make it easier for open-source code to be developed securely.
One way is to use these tools to generate test cases with the developer. “My hypothesis is that we would create better formed, more secure code, starting from the premise of the test cases into the software and through the development lifecycle,” he noted.
Another is using AI to minimize the software that needs defending by analyzing dependencies. “If those dependencies are ever used, then propose fixes that reduce the number of dependencies that are having to be patched,” explained Lemos.