The Institute for Security and Technology is proposing using a shared responsibility model for open source software security in a new report highlighting opportunities to incentivize best practices and improve vulnerability management.
The report provides a rundown of the open source software ecosystem with specific recommendations and a review of the Log4j vulnerability, explaining how it was identified and exploited by threat actors.
It says, “This report advocates shifting open-source software security to a shared responsibility model, redoubling support for existing secure software development frameworks, policies, and licenses, and reexamining approaches to vulnerability management and mitigation to ensure they account for open-source software.”
On shared responsibility, the report says, “Large corporations are especially well-suited for the shift to a shared responsibility model, given their resources and the benefits and risks they face when integrating opensource software into projects. Further, the federal government could develop incentives encouraging companies to adopt and leverage existing quality assurance processes to identify and rectify vulnerabilities in open-source code.”
“Incentives could also encourage organizations to report identified vulnerabilities to the original developers, rather than simply fixing the code in their own environment,” the report says. It was released on Monday.
Stakeholders need to “redouble support for existing secure software development frameworks, policies, and licensing schemes to ensure that future vulnerabilities do not endanger the Internet’s infrastructure,” according to the report.
Through open source licensing, IST argues that there will be “greater consistency within the ecosystem.” Using a Software Bill of Materials could be part of this effort, the report says, to “further increase clarity during vulnerability management.”
The report says the federal government needs to leverage its procurement power to mandate that companies using open source software subject the open source code used “to the same security processes as their own code, contribute fixes, make coordinated disclosures to the repository maintainers, avoid dead projects, and shoulder the responsibility of maintaining projects, the U.S. government can move the needle toward improved cybersecurity at scale.”
Expanding on SBOM, the report calls for companies and open-source developers to use them and “thereby provide a detailed list of components used in a software products.”
It notes that “widespread adoption would make it easier to determine the most widely used libraries, a highly useful development in terms of incident and risk management” and says government can use its procurement power to make “SBOMs essential in the marketplace.”
The report proposes exploring how to introduce memory safety as a method to “combat vulnerabilities in software.” Memory safety is a component of CISA’s work on secure-by-design and secure-by-default.
IST offers a framework for “proactive vulnerability management and mitigation within a shared responsibility model,” including a call for vulnerability management to be “more closely aligned with threat intelligence through the sharing of tools and skills.”
The report says, “The U.S. government, including CISA and the Office of the National Cyber Director (ONCD), should maintain threat intelligence teams that provide contextual vulnerability management assistance, especially to small and medium-sized businesses.”
In addition, the report says, “The U.S. government should create a database of products known to contain vulnerable dependencies.” IST specifically calls out CISA’s Known Exploited Vulnerabilities Catalog and how it “does not identify products or services that may contain a vulnerability unless they experience a high-profile attack.”
The report was written by IST’s Zoë Brammer, Silas Cutler, Marc Rogers and Megan Stifel.
IST leads the Ransomware Task Force, which will celebrate its second anniversary at a May 5 event that will assess the 48 recommendations from its original report. Speakers include Acting National Cyber Director Kemba Walden, Anne Neuberger of the National Security Council and other cyber leaders from government and the private sector. -- Sara Friedman (sfriedman@iwpnews.com)