The Securing Open Source Software Act

While there are not a lot of things Republicans and Democrats agree on, apparently they can agree about cybersecurity is a problem.

the Securing Open Source Software Act is designed to improve the security of open source software.

While some people would like to believe the myth that open source software is secure, the reality is very different. Even when a piece of software is very popular, like Log4j, it still has bugs.

The vast majority of open source software has between zero and one person maintaining it, most likely zero. And even software with tens of millions of installs, like OpenSSL, has bugs hiding in it for decades.

The bill tasks CISA with figuring out how to protect open source software.

The answer is pretty simple.

All you need to do is add people and money. I don’t think there is a shortcut, unfortunately.

The purpose, the bill says, is to help ensure that open source software is used safely and securely by the federal government, critical infrastructure and others.

According to the Open Source Security Foundation (OpenSSF), the bill would require CISA to create an initial assessment security framework for handling open source code risk using existing standards and frameworks.

This is much better than trying to reinvent the wheel.

It will also require CISA to hire developers to address open source security risk (the people part). It will also require OMB to fund CISA’s efforts (the money part).

Of course, it is not law yet, but maybe it will be. Credit: ZDNet

by