4.8 KiB
4.8 KiB
Title
Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security
Short description
Congress should establish a Center for Open Source Software Infrastructure and Security for 1) identifying and cataloging critical software in need of support and 2) funding critical improvements in open source software security.
Author(s)
Proposal body
Congress should create a Center for Open Source Software Infrastructure and Security within DHS that does the following:
- Identify and catalog critical software in need of support Congress should initiate an effort to systematically identify the most critical open source software components and develop criteria for determining the criticality and vulnerability of open source software. This effort can be coordinated with CISA, through the National Risk Management Center (NRMC), to determine the open source software components most important to the nation’s critical infrastructure sectors and National Critical Functions. This effort should also engage NIST to determine guidelines for the criticality and vulnerability of open source software, creating criteria analogous to the Common Vulnerability Scoring System (CVSS). The effort should result in an ongoing catalog that could be made available to other agencies as well as the public, analogous to the National Vulnerability Database (NVD) program.
- Congress should establish a process for funding OSS components that are determined to be both critical and in need of support, as well as improvements to the general ecosystem. Such funding could include:
- An emergency fund that supports short-term and narrowly scoped security work, such as bug bounty programs for finding high-severity vulnerabilities or grants for fixing particularly critical vulnerabilities or hardening specific software. For example, qualifying grant proposals could be similar in nature to the Django Fellowship, which helped hire full-time developers to focus on triaging bugs and managing security releases for the open source web framework Django.
- A fund for non-software-related strategic initiatives or research that may improve the security health of the entire open source ecosystem. For example, this could include events to improve education around security practices in the OSS ecosystem or research initiatives to better understand how open source developers approach dependency management.
Due diligence
- What related work has already been done in this area? Mechanisms for public and philanthropic funding of critical OSS are already in place. The above two recommendations would build on CISA’s recent decision to invest in the open source election auditing software tool Arlo. The European Commission’s FOSSA (in 2014) and FOSSA 2 programs (in 2020) also funded both an inventory of critical OSS infrastructure and a bug bounty program that successfully fixed dozens of critical or high OSS vulnerabilities. Moreover, the Ford Foundation and Sloan Foundation’s Critical Digital Infrastructure Research Fund and the Chan Zuckerberg Initiative’s Essential Open Source Software for Science have supported open source software maintenance and research through a grant program.
- How is this proposal innovative -- what distinguishes it from other related work? A Center for Open Source Software Infrastructure and Security would build on such initiatives, but with greater scale and impact, because the federal government traditionally has not funded much OSS.
- Who is your doer -- who will execute the proposed work? N/A, not sure yet -- perhaps an existing open source software research lab / institution.
- How might this work be sustained long-term after an initial seed grant? An initial seed grant could help with the initial work of the Center, and long-term funding would be pursued through Congress.
Resources needed
Legislative advocacy. Additionally, an initial seed grant could potentially help with the initial work of the Center.
Other links and resources
Paper published summarizing this idea: https://www.plaintextgroup.com/reports/securing-open-source-software-at-the-source