Enable breadcrumbs token at /includes/pageheader.html.twig

A Neighborhood Watch for Open-Source Software

Open governments can help protect open-source code.

Cybersecurity experts envision a decentralized group of U.S. government employees loosely working alongside both open-source software developers and industry software engineers to ensure the security of open-source software. Credit: farisazhar/Shutterstock. Edited by Chris D'Elia

Open-source software components now often comprise at least 80 percent of modern software applications, according to the best available estimate. They run the web servers that allow you to read this article, form the core of the mobile apps you use, and even help stealthier corners of government accomplish their missions—supporting U2 Dragon Lady missions, for example.

Modern software is no longer exclusively the copyrighted property of centrally controlled corporate giants. Instead, it is increasingly produced by a decentralized group of mostly after-hours volunteers. It is therefore unsurprising that vulnerabilities in open-source software have begun to accumulate and malicious open-source supply chain compromises have become more intricate. Our grand challenge is therefore finding a way for democratic and open governments to help protect and maintain the vibrancy of these diverse open-source coding neighborhoods—Node Package Manager, which is the primary JavaScript registry better known as NPM; Python Package Index (PyPI) and Comprehensive R Archive Network (CRAN), for instance.

This is why the story of a concerted government effort to improve open-source software security is so noteworthy. In 2017, one government agency discovered 10 widely used open source Python packages loaded with malicious functionality typosquatting on the names of popular packages, that is, masquerading as legitimate open-source packages. Instead of simply raising the issue internally, this agency alerted the world of malicious actors in the Python neighborhood. By helping remove those packages from the Python Package Index, the community repository for openly available Python programs, this disclosure helped make digital infrastructure a bit safer for everyone everywhere.

Was the hero of this story a U.S. government agency or other federal threat-hunting enterprise responsible for cybersecurity? Nope. It was Slovakia’s Computer Security Incident Response Team. But it could have been an American group.

We envision dedicating some of America’s substantial capability to help protect and defend the open-source software commons. The core of this vision is a decentralized group of U.S. government employees loosely working alongside both open-source software developers and industry software engineers. By mirroring the decentralized and even chaotic nature of the open-source contributor network, this watch can protect and safeguard the ecosystem without inhibiting the ability for genius and ingenuity to come from any node in the network. We call this the Open-Source Software Neighborhood Watch. While a traditional neighborhood watch keeps a lookout for suspicious activities in towns or cities, our neighborhood exists in the digital realm.

This neighborhood watch could create the digital security infrastructure to help open- source software developers and end users lead more secure digital lives. Its activities could include designing, building and maintaining software systems that promote the engineering integrity of the platforms underpinning modern digital society.

Security projects such as package feeds and package analysis, projects created by the Open Source Security Foundation to monitor open-source software security, could be extended, evaluated, improved and maintained for the long haul by security engineers within such an organization. Other potential projects include building a secure package manager—software that downloads and installs software packages—or helping shape and improve open-source software “nutrition label” projects such as metrics.openssf.org.

Alternatively, the watch could engage in grant-making, finding and funding smaller, more nimble organizations capable of building and perhaps commercializing open- source software security products. These diverse activities would all be aimed at reducing the number and severity of open-source software compromises and decreasing the harm caused by such compromises.

The watch could also engage in community-building and market making. For instance, it could sponsor open-source software bug bounties, similar to the Defense Digital Service’s “Hack the Pentagon,” but more like “Hack Open Source.” A more focused effort could involve searching for vulnerabilities in GitHub repositories maintained by U.S. government agencies. It could also sponsor a DEF CON village focused on open-source software security, assembling a coalition of competent contributors.

Even those who support this idea might worry about the politics of U.S. government employees working to protect the coding commons. The first step for any would-be advocate of such action is to canvass federal institutions. This advocate should seek any person and organization that believes open-source software insecurity creates systemic risk. It also probably behooves the organizers of a federal open-source neighborhood watch to partner with an institution that a wide, international community can trust and respect. OpenSSF, a Linux Foundation-led collaboration on open-source software security, or the Open Source Initiative could be such a partner. In addition, participation as a watch member, at some point in one’s career, should at least be encouraged for software engineers and technologists within the U.S. government, like a tech corps.

Even though open-source software is easy to take for granted, any insecurities within it can impose heavy costs on society. Think Heartbleed/OpenSSL, event-stream, or, most recently, log4j. Even the recent cybersecurity executive order explicitly recognizes the importance of open-source software security. In short, we’re glad Slovakia’s Computer Security Incident Response Team is taking the time to patch open-source software vulnerabilities. Perhaps it’s time America did too.

Find more out at: https://github.com/Open-Source-Software-Neighborhood-Watch.

John Speed Meyers is a security data scientist at Chainguard. George Sieniawski is a senior technologist at IQT Labs. Thomas Pike is a research director and faculty member at the National Intelligence University. Jacqueline Kazil is an engineering manager and leader of the AI/ML community at Rebellion Defense. Their opinions are theirs and theirs alone. They thank Kinga Dobolyi, Bentz Tozer, Rob Colter and Trey Herr for helpful reviews.