"Senators' Plan to Secure Open Source Software Involves Agencies Using More of It"

According to legislation reported by the Senate Homeland Security and Governmental Affairs Committee, top cybersecurity officials should guide agencies toward using and contributing to open-source code libraries. The Securing Open Source Software Act of 2022, introduced by Committee Chairman Gary Peters (D-Mich) and Ranking Member Rob Portman (R-Ohio), will help prevent the exploitation of vulnerabilities such as Log4Shell, a critical flaw in the widely used open-source library Log4j. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), issued an emergency alert in December urging agencies to find and fix all instances of the vulnerability she has described as the most serious she has ever seen. However, avoiding the indirect use of open-source software would be a difficult task for government agencies. Commercial-off-the-shelf (COTS) product vendors, who officials have prioritized over in-house application development, compile their software using various open-source components while concealing their nature or configuration. The senators' bill would rely on vendors providing agencies with a Software Bill of Materials (SBOM). SBOMs that note open-source and other code components in a product would have made complying with the CISA directive, and generally managing critical vulnerabilities, much easier. The CISA director would be instructed under the legislation to hire more personnel with experience working on open-source libraries and to use SBOMs agencies may collect to assess and rank open-source components. These evaluations should include components' risk, criticality, or both, and should be based on a framework that takes into account factors such as the number of known vulnerabilities they contain and whether they are actively maintained. This article continues to discuss the senators' plan to improve the security of open-source software.

NextGov reports "Senators' Plan to Secure Open Source Software Involves Agencies Using More of It"

Submitted by Anonymous on