U.S. Government Tackles Open Source, Memory-Safe Programming Security
The White House Office of the National Cyber Director (ONCD) has joined forces with key agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB), to unveil a Request For Information (RFI) centered on open source software security and the promotion of memory safe programming languages.
You can have a say in this RFI. The government is asking for public and private sector input as federal leadership develops its strategy and action plan to strengthen the open-source software ecosystem.
Why? Easy. Thanks to the Apache Log4j security problems and the SolarWinds security fiasco, even the government has woken up to the fact that software security is now a matter of vital national interest.
At Black Hat, Kemba Walden, ONCD acting director, said, “95% of our technology relies on open source. How we make it more secure is the fundamental question. How do we influence, encourage, and require memory-safe languages? Help us make smart policies about how to make open source technology more secure.”
Walden continued, “How do we make open-source software secure by design? Why are we using languages that are not safe? I need to understand from this community how to do that, how do you make a policy that is holistic, that is actionable in order to encourage that?”
We need to answer her, and the government’s, concerns.
This is just the latest follow-up from the White House January 2022 meeting with open source organizations such as the Apache Software Foundation (ASF) and the Linux Foundation and executives from Apple, Amazon, Google, IBM, Microsoft, and Oracle. Government agencies were also represented.
This move directly reflects the Administration’s pledge, as outlined in the National Cybersecurity Strategy, to channel investments into the creation of secure software. This encompasses the development of memory-safe languages, advanced software techniques, frameworks, and rigorous testing tools. Furthermore, the RFI is a significant step towards achieving the goals set in initiative 4.1.2 of the National Cybersecurity Strategy Implementation Plan.
While almost everyone agrees that the widespread adoption of open source software has been beneficial, the government also fears its introduced distinct security challenges. That’s especially true for government operations, and military applications.
Recognizing these challenges, the White House has initiated the Open-Source Software Security Initiative (OS3I). This interagency collaboration aims to pinpoint policy solutions and allocate government resources to enhance security measures within the open source software landscape.
The OS3I, in collaboration with its interagency partners, has spotlighted several goals. These include the expansion of memory-safe programming languages, the establishment of requirements for the creation of secure and privacy-centric security attestations, and the identification of priority areas for enhanced attention and resources.
Want to put your two cents in? Responses are due by 5 p.m. EDT on Oct. 9, 2023, and can be sent to OS3IRFI@ncd.eop.gov.
