Developers find it easier and quicker to assemble applications using well-built third-party components. Many of these components are open source. However, the rise in open source usage has led to increasing vulnerabilities. US Senators Gary Peters (D-MI) and Rob Portman (R-OH) introduced bipartisan legislation, the Securing Open Source Software Act, to strengthen open source security. In this article at ZDNet, Steven Vaughan-Nichols sheds light on the Act and explains some possible loopholes.
Open Source Security: What Does the Act Say?
The US government has worked with tech organizations such as Linux Foundation and the Open Source Security Foundation for over two years to develop robust security initiatives. “The Securing Open Source Software Act, however, moves open source from the realm of policy and regulation decisions into federal law. This bill will direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate how open source code is used by the federal government,” says Vaughan-Nichols.
The law is rooted in the Log4j vulnerability that caused widespread and significant damage to federal systems and critical infrastructure. Security professionals believe that Log4j served as a wake-up call for the federal government. The act aims to guard organizations against incidents like Log4j by mitigating risks in the system using open source components. Furthermore, it also seeks to strengthen the government’s and open source communities’ collaboration.
What Are the Potential Loopholes of the Act?
The bill misses a few points. The author points out that all software, not just open source, should be checked for potential risk. Security professionals welcome government involvement in open source security efforts. However, they believe that government should foster collaboration rather than create a checklist that adds more work for critical open source software. Furthermore, open source software advocates worry that the burden of government mandates will undoubtedly fall on the already-burdened open source community.
To read more about the Act, click on https://www.zdnet.com/article/whats-what-in-the-united-states-securing-open-source-software-act/.
The post Can Bipartisan Bill Strengthen Open Source Security? appeared first on AITS CAI’s Accelerating IT Success.