Securing Open Source Software Act - It’s a Pretty Big Deal

Today, no one doubts the importance of open source software. In fact, here at CloudBees, we love Jenkins®. Open source software (OSS) has revolutionized the technology industry, empowering developers worldwide to collaborate and more quickly create innovative solutions. However, as with any digital realm, security concerns loom large. There have been several high profile security issues related to open source and, just as with commercial software, it is important to be sure you secure any open source software in use.

It ends up Congress has noted both the positive impact of open source, along with the potential security concerns in using it. Currently, there is a bill pending in the United States Senate in support of open source and the importance of securing it. Let's examine the Open Source Software Act and what it means for all of us.

S. 917, Securing Open Source Software Act of 2023, was introduced by the U.S. Congress in March 2023.  The bill aims to establish the duties of the Cybersecurity and Infrastructure Security Agency (CISA) concerning open source software security. It recognizes the importance of open source software for technology development, national security, and the economy. In fact, it highlights the value of the open source community as contributors to “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States.” Congress’ aim is to securely embrace and support a long-term vibrant relationship with the software community, while recognizing the inherent challenges and risk associated with open, self-governed software communities as it pertains to national security.

The bill proposes that the director of CISA should engage with the open source software community, support efforts to strengthen open source software security, coordinate with non-federal entities and serve as a point of contact for open source software security. Furthermore, Congress’ expectation is that CISA will become the premier agency in all things open source, including the employment of open source contributors, software supply chain experts, and liaisons, to foster a long-term secure healthy relationship with the open source communities.

The Securing Open Source Software Act includes provisions for the development of a risk assessment framework for open source software components. This framework, due no later than one year after enactment of the Securing Open Source Software Act, guides the identification of open source components, enhances the security of software development processes, and standardizes a software bill of materials (SBOM). It also requires the disclosure of information regarding community support and the level of risk associated with open source software components, according to the framework. Finally, this framework will identify the specific use and breadth of open source components throughout the federal government. Following this assessment, the number and severity of publicly known unpatched vulnerabilities across open source components shall be assessed and this impact analysis will be made available to all agencies.

The goal of S.917 is not to marginalize or deter government programs from utilizing open source software. Instead, the intention is to alleviate the burden of open source analysis from individual agencies and provide a safe framework to foster greater innovation. Open source software possesses several strengths that contribute to its widespread adoption: 

• Open source communities encourage transparency, peer review, and collaborative development

• Open source software enhances quality, customization, and flexibility 

• The collective efforts of a global community lead to rapid bug identification and resolution

The community-led effort behind open source has contributed to countless groundbreaking technical advances. However, this open and transparent nature also exposes open source projects to potential security vulnerabilities. 

Government agencies are becoming more agile, embracing rapid feature deployments to meet the mission and continuous RMF compliance to support things like cATO. A healthy relationship with the open source community is pivotal to these types of changes, but the Securing Open Source Software Act also recognizes the setbacks and risks to national security that software vulnerabilities pose, especially stemming from unregulated contributors.

Here are several well-known examples:

1. One of the most prominent attacks in recent memory, the 2020 SolarWinds hack involved the compromise of the software supply chain. Hackers infiltrated the SolarWinds development process, injecting a backdoor into their Orion software updates. Consequently, this provided unauthorized access to numerous high-profile organizations, including government agencies, compromising sensitive data.

2. In 2017, Equifax, a major credit reporting agency, suffered a massive data breach affecting around 147 million individuals. The breach was caused by a vulnerability in Apache Struts, an open source web application framework used by Equifax. Attackers exploited this weakness to gain unauthorized access to Equifax's servers and steal sensitive personal and financial data, including names, Social Security numbers, birth dates, addresses, and credit card information. The breach had severe consequences for affected individuals, increasing the risk of identity theft and financial fraud. Equifax faced public outrage, legal consequences, and reputational damage due to the incident, highlighting the importance of robust cybersecurity practices and prompt vulnerability mitigation to protect sensitive data.

3. Also in 2021 the Log4Shell vulnerability was particularly alarming due to its widespread impact. Log4j is a fundamental component used in countless applications and systems, making it a prime target for attackers. Exploiting this vulnerability, hackers could inject malicious code into the log message, leading to arbitrary code execution and potentially compromising the entire system. The full impact of the Log4Shell vulnerability is still not completely known, however it’s estimated that over twenty thousand software components were affected.  Additionally, roughly eight hundred other projects both open and closed source heavily utilized Log4Shell.  Experts estimate a single Log4Shell exposure cost programs roughly $90,000 to identify and contain.

If the Securing Open Source Software Act becomes law, it will indeed bring about significant changes in the use of open source software. The act could also encourage the adoption of secure software development processes supported by corporate entities. This means that organizations will be incentivized to use enterprise software solutions that provide technical support and prompt software patches in case any new vulnerabilities are discovered. By prioritizing the use of such software, organizations can enhance the security and reliability of their systems and mitigate potential risks associated with open source software.

The OSI logo trademark is the trademark of Open Source Initiative. Jenkins is a registered trademark of LF Charities Inc. Oracle, Java, MySQL, and NetSuite are registered trademarks of Oracle and/or its affiliates. Firefox is a trademark of the Mozilla Foundation in the U.S. and other countries. Android is a trademark of Google LLC.

Since CloudBees was founded, we have been committed to Jenkins, one of the world's most utilized and beloved open source projects. Our co-founders, Sacha Labourey and Francois Dechery, have open source in their DNA. Additionally, Kohsuke Kawaguchi, the creator of Jenkins, was CTO at CloudBees for many years. CloudBees Continuous Integration, our enterprise version of Jenkins, offers advanced security measures, scalability, standardization, and compliance that enhance the overall security posture of the development pipeline. If you already know Jenkins, there is no need for additional training, it's the same Jenkins that you already know and love. CloudBees is deeply involved with the Jenkins community and the Continuous Delivery Foundation (CDF). CloudBees is the major sponsor of Jenkins and CloudBees employees are major contributors to the Jenkins project. Sacha Labourey, chief strategy officer and co-founder at CloudBees, is a member of the governing board of the CDF. 

We are no stranger to highly regulated industries. We also have over sixty government customers. We deliver CloudBees Continuous Integration hardened releases which are scanned and authorized by the U.S. Air Force. This makes CloudBees Continuous Integration an attractive option for organizations looking to embrace the innovative potential of open source while complying with the pending legislation. CloudBees is dedicated to advancing production-ready capabilities and mission worthy security throughout the software development, deployment, and maintenance life cycle.

If passed, the Securing Open Source Software Act represents a significant step towards reinforcing the importance of security in the technology industry. By recognizing the importance of open source projects for national security and economic vitality, the Act proposes to establish the duties of the Cybersecurity and Infrastructure Security Agency (CISA) concerning open source software security. The Securing Open Source Software Act also  aims to develop a risk assessment framework for open source software components, enhance the security of software development processes, and standardize a software bill of materials (SBOM). Through such proactive measures, the Act seeks to safeguard the integrity of open source projects and encourage the adoption of open source in government programs and enterprises. 

Leveraging secure enterprise solutions like CloudBees Continuous Integration can further strengthen software development pipeline security while continuing to embrace the innovation and collaborative potential of open source communities. By working hand in hand with the open source community, organizations can comply with the new legislation and ensure the reliability and safety of their software development practices.

The CloudBees platform is built on top of Jenkins, an independent community project. Read more about Jenkins at: www.cloudbees.com/jenkins/about.