Open source software is integral to promoting free and open internet, and businesses of all sizes are using it more than ever. However, given the publicly accessible nature of open source software and the historically inconsistent investment in open source software security, it is uniquely difficult to protect.
The Securing Open Source Software Act
In an attempt to prioritize and streamline security, the U.S. Congress introduced the Securing Open Source Software Act (SOSSA) on September 21, 2022. The proposed bill suggests the Federal Government should play a supporting role in long-term open source software security. SOSSA focuses on new requirements for federal agencies under the authority of the Cybersecurity and Infrastructure Security Agency, or CISA.
SOSSA would require CISA to do the following:
- perform outreach and engagement to bolster the security of open source software;
- support federal efforts to strengthen the security of such software;
- coordinate with nonfederal entities on initiatives to ensure long-term security;
- serve as a public point of contact regarding the security of open source software for nonfederal entities; and
- back federal and nonfederal supply chain security efforts by encouraging open source security.
In addition, CISA must publish a framework that incorporates best practices from government, industry, and the open source software community.
What SOSSA Means for IT Pros
To better understand how the Securing Open Source Software Act might affect IT leaders, ITPro Today spoke with John A. Wheeler, an analyst and AuditBoard’s senior advisor for risk and technology.
“The primary challenge facing businesses regarding security compliance is the ever-increasing number of frameworks, standards, and laws that must be considered when operating in specific global jurisdictions,” Wheeler said. “For example, each U.S. state has its [own] data breach notification law. In addition, on the heels of the European Union General Data Protection Act, individual U.S. states are now enacting their [own] data privacy laws, starting with California’s Consumer Protection Act.”
With increased regulations at both the state and federal level, businesses face challenges with skill shortages, security gaps, and data transparency, he said.
Despite concerns and compliance challenges, open source software usage continues to expand, with many companies relying on both open source and proprietary software security technologies. One way to mitigate the complexities of compliance is with tools that automate the assessment of regulatory requirements, assets, and risks, Wheeler noted.
By adopting new software, and in particular the introduction of third-party technology, new infrastructure risks can emerge. “The growing investment in digital technologies produced by third parties only complicates the technology risk profiles for companies today,” Wheeler explained. “The visibility of these third-party technology risks requires automation to monitor the dynamic nature of cybersecurity across an array of companies and software products.”
Weak third-party security controls have already proven to be a great risk for companies. According to a study by the Ponemon Institute, 54% of organizations have experienced a data breach caused by a third party.
While it is difficult to know how effective a bill like SOSSA will be in safeguarding open source software, measures taken to both promote and secure the usage of open source software are crucial in our increasingly interconnected world, Wheeler said.