'Securing Open Source Software Act' introduced to US Senate

Reading the comments so far, I&#x27;m genuinely surprised that more folks haven&#x27;t applied a &quot;follow the money&quot; lens to their analysis.<p>To me, it reads as a bald-faced attempt to discourage public sector entities from using OSS solutions, when in fact there are perfectly good and definitely &gt;100% secure proprietary offerings that cost a reasonable amount when purchased from the sorts of vendors that pay lobbyists to &quot;help&quot; senators write OSS bills.<p>Do you honestly think Rob fucking Portman woke up one day with strong opinions about FOSS?<p>Make no mistake: this is a thinly veiled late-stage attempt to displace the growing dominance of OSS-based solutions to the sorts of problems that the government and military used to pay 8 and 9 figures a year to EDS to solve.<p>An actual, good-faith bill that seeks to address these issues would attempt to incentivize&#x2F;punish orgs that use FOSS without making meaningful contributions to it.

For those curious about what it actually is:<p>&gt; The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.<p>So basically just another framework to evaluate risk for use by the Federal Government. A nothing burger as it were. Which I am on one hand glad about, because I don&#x27;t like the government starting to get involved in Open Source which is at it&#x27;s core &quot;Here&#x27;s some code I wrote or whatever&quot;, but it also isn&#x27;t doing anything for security.

5 paragraphs of Silver Bullet Magical Thinking nonsense to get to the actual bill, which is basically calling for a study and recommended guidelines for OSS security - of which there are several already, including one from the DoD [1].<p>I see nothing new or useful here, what am I missing?<p>&quot;The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.&quot;<p>[1] <a href="https:&#x2F;&#x2F;insights.sei.cmu.edu&#x2F;blog&#x2F;taking-up-the-challenge-of-open-source-software-security-in-the-dod&#x2F;" rel="nofollow">https:&#x2F;&#x2F;insights.sei.cmu.edu&#x2F;blog&#x2F;taking-up-the-challenge-of...</a>

This is not a push for proprietary software. It&#x27;s a prelude to regulatory capture where a bunch of highly paid consultants will need to bless your open source solution for big money.<p>It&#x27;s going to be like electrical contracting. You get someone cheap to do the wiring and then a union guy comes in to sign the papers and take a pound of flesh.

It seems most commenters want to interpret this as a threat, or as a way to discourage use of FOSS by government. I don&#x27;t think it is either one. The US government isn&#x27;t a monolith, it&#x27;s thousands of semi-independent fiefdoms all doing different things, and some know what they are doing and others have horrible security practices. This seems to be one of several efforts to fix that.<p>Looks to me like it will wind up making more money available for developers, mainly outside government, to audit and improve important free software that the feds are currently using. Unfortunately because of the way that government contracts work, companies that are already experienced at doing government contracts might wind up with the bulk of the money. But it isn&#x27;t going to make things worse and might actually make things better.

So will they help fund the projects now, or will they just express their opinions on how your unpaid work should be done?

We do B2B software in banking and this is something we&#x27;ve been anticipating for quite some time now. We were implicated in that log4j exploit via a (very) transitive, cross-language dependency.<p>We killed 100% of our Java usage over this. We simply don&#x27;t have enough in-house talent to make sure things are safe in that bucket. Our customers thought this was a glorious plan as well.<p>I do think most of the pain should fall to the vendors of the end product, not their oss suppliers. If your shop doesn&#x27;t have enough resources to validate all vendors are safe, maybe figure out how to do it with fewer vendors.<p>At a certain level, if you are selling deficient products to sensitive customers, you really need to be stopped. Anything impacting finance, PII, safety, infrastructure, defense, etc. Some extra regulations could go a long way in these areas.

Seems like they are taking the right approach. Instead of trying to regulate OSS, they&#x27;re funding CISA to help make it more secure.

LF OpenSSF &quot;criticality score&quot; for 100K Github repos, <a href="https:&#x2F;&#x2F;github.com&#x2F;ossf&#x2F;criticality_score" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ossf&#x2F;criticality_score</a> &amp; <a href="https:&#x2F;&#x2F;docs.google.com&#x2F;spreadsheets&#x2F;d&#x2F;1uahUIUa82J6WetAqtxCM_qgH-YJOagH84AFniIhlAbg&#x2F;edit" rel="nofollow">https:&#x2F;&#x2F;docs.google.com&#x2F;spreadsheets&#x2F;d&#x2F;1uahUIUa82J6WetAqtxCM...</a><p><i>&gt; Generate a criticality score for every open source project. Create a list of critical projects that the open source community depends on. Use this data to proactively improve the security posture of these critical projects ... A project&#x27;s criticality score defines the influence and importance of a project. It is a number between 0 (least-critical) and 1 (most-critical). It is based on the following algorithm by Rob Pike..</i><p>Top 20 projects, based on &quot;criticality score&quot; algo output, you can run the script on your favorite OSS project:<p>&gt; <i>node, kubernetes, rust, spark, nixpkgs, cmsSW, tensorflow, symfony, DefinitelyTyped, git, azure-docs, magento2, rails, ansible, pytorch, PrestaShop, framework, ceph, php-src, linux</i>

Why limit it to open source? You wouldn&#x27;t let an engineer build a bridge with car-sized holes just because the blueprint is not open.

Why the focus on open source?<p>The reason log4shell had such a big impact is because of how ubiquitous it was. Sure being free gives OSS a bit of an advantage in becoming ubiquitous, especially as a library.<p>But there&#x27;s also plenty of proprietary software that is ubiquitous as well. And proprietary software has plenty of bad security bugs too.

So… I’m reading this from the perspective of working 100% professionally on open source software and I don’t understand at all what implications this has for my work being declared public infrastructure. I don’t think it’s being funded, which I guess isn’t surprising because not funding infrastructure is literally a meme which has been going for years. I don’t think anything is being offered to help secure the software I work on. It kind of reads like a vague threat? I don’t mean to be glib at all, but if you’re declaring something public infrastructure and you’re ostensibly a public servant, maybe making me feel scared of you isn’t a great look?

DHS (Dept. of Homeland Security) CISA (Cybersecurity and Infrastructure Security Agency) CSAC (Cybersecurity Advisory Committee) TAC (Technical Advisory Council) subcommittee report, June 2022, <a href="https:&#x2F;&#x2F;www.cisa.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;publications&#x2F;June%202022%20CSAC%20Recommendations%20–%20TAC.pdf" rel="nofollow">https:&#x2F;&#x2F;www.cisa.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;publications&#x2F;June%2...</a><p><i>&gt; The Technical Advisory Council Subcommittee was established to leverage the imagination, ingenuity, and talents of technical experts from diverse background and experiences for the good of the nation. The subcommittee was asked to evaluate and make recommendations tactical and strategic in nature. These Cybersecurity Advisory Committee (CSAC) recommendations for the June Quarterly Meeting focus on vulnerability discovery and disclosure.</i><p><pre><code> Mr. Jeff Moss, Subcommittee Chair, DEF CON Communications Mr. Dino Dai Zovi, Security Researcher Mr. Luiz Eduardo, Aruba Threat Labs Mr. Isiah Jones, National Resilience Inc. Mr. Kurt Opsahl, Electronic Frontier Foundation Ms. Runa Sandvik, Security Researcher Mr. Yan Shoshitaishvili, Arizona State University Ms. Rachel Tobac, SocialProof Security Mr. David Weston, Microsoft Mr. Bill Woodcock, Packet Clearing House Ms. Yan Zhu, Brave Software</code></pre>

&quot;securing open source software act&quot; would rationally mean funding the NSA or similar experts to help harden open source software, right? Or, hey, telling the NSA to disclose vulnerabilities they find in open source software so they can be patched, instead of sitting on them hoping nobody else notices. Right? No? Wait, what? It&#x27;s just about telling the federal government to use less open source software? How does that make open source software more secure?

<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32956218#32957137" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32956218#32957137</a><p><i>&gt; FWIW, while this specific act may not be enforcing significant regulation, software developers need to understand that there&#x27;s a ticking clock.</i><p>There are several initiatives from LF&#x27;s OpenSSF and startup Chainguard.<p>Sept 2022, &quot;Concise Guide for Evaluating Open-Source Software&quot;, <a href="https:&#x2F;&#x2F;github.com&#x2F;ossf&#x2F;wg-best-practices-os-developers&#x2F;blob&#x2F;main&#x2F;docs&#x2F;Concise-Guide-for-Evaluating-Open-Source-Software.md#readme" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ossf&#x2F;wg-best-practices-os-developers&#x2F;blob...</a><p>Sept 2022, &quot;Show off your Security Score: Announcing Scorecards Badges&quot;, <a href="https:&#x2F;&#x2F;openssf.org&#x2F;blog&#x2F;2022&#x2F;09&#x2F;08&#x2F;show-off-your-security-score-announcing-scorecards-badges&#x2F;" rel="nofollow">https:&#x2F;&#x2F;openssf.org&#x2F;blog&#x2F;2022&#x2F;09&#x2F;08&#x2F;show-off-your-security-s...</a>

If they really wanted to make open source more secure they would just pay people to audit &amp; submit fixes to widely used open source software. Of course the reality today is that the opposite occurs -- when federal intelligence agencies find out about vulnerabilities they prefer to keep the exploits for themselves.

&quot;This led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen.&quot;<p>Apparently they never changed one character in a query string in the late-90s.

I won&#x27;t get into the reason behind this, but I will say I found this statement horrible, and could not disagree more.<p>&gt;“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr<p>Open source software is no more &quot;public infrastructure&quot; than the efforts of volunteer organizations. The government should have no say over this matter IMO.

There&#x27;s a funny bite here that seems long-term good.<p>The gov has a large culture of tapping integrators who do not give back to OSS, just use, basically the middle man, and leave behind fragile one-offs. Such abandonware should overwhelm recieving depts within 6-12mo, and bringing back integrators for the treadmill of patching superfluous npm CVEs would break their budgets.<p>So that means pressure to, well, not do that. Either the integrators get more involved, or part of the budgets finally goes to people who are.

Well I&#x27;ve just had the weekly &quot;why can&#x27;t you come here&quot; call with my forign gf, failed to deliver on the couple tickets I have open at work, and posted my daily &quot;barf into ~&#x2F;stuff&#x2F;*.c&quot; to &#x2F;prog&#x2F; so lets go through and read this instead of going and being with people.<p>TFA has no bill number so lets see if we can find it. Actually no, I&#x27;m not seeing it. Someone send me an HR? I&#x27;ll update my comment if you do.

Text not available on Congress.gov yet, but keep your eyes on this space: <a href="https:&#x2F;&#x2F;www.congress.gov&#x2F;bill&#x2F;117th-congress&#x2F;senate-bill&#x2F;4913&#x2F;text" rel="nofollow">https:&#x2F;&#x2F;www.congress.gov&#x2F;bill&#x2F;117th-congress&#x2F;senate-bill&#x2F;491...</a>

a radical thought: how about hiring some engineers to contribute to oss that&#x27;s being used in critical infrastructure?<p>I believe that most of the assessment stuff is covered by many NIST recommendations anyways.

Why can&#x27;t they treat this like academic &#x2F; scientific work and create a funding body around grants that support OSS devs so they have more time and money to protect the software?

Any laws regulating OSS is potentially a big problem... why is it even needed? Reminds me of the &quot;PATRIOT&quot; Act authored by Joe Biden in 1994.

FWIW, while this specific act may not be enforcing significant regulation, software developers need to understand that there&#x27;s a ticking clock. Modern civic engineers went without any significant regulation, and then that changed. Software is young, it&#x27;s in the phase where people aren&#x27;t dying <i>too</i> often for the public to care. But breaches are leading to massive privacy problems, real wars and conflicts are increasingly leveraging software defects, and the impact and scrutiny will only grow.<p>If you want to avoid having to pass tests, having to maintain insurance, having to do a bunch of bullshit, all just to be a software engineer, get started on fixing things <i>now</i>.<p>It is absurd that anyone can anonymously provide open source code, with no assurances whatsoever, and that can end up in critical software. And you might be saying &quot;well, it&#x27;s up to people to audit their dependencies&quot; - and maybe you&#x27;re right. But I would challenge that <i>everyone</i> has the right to publish code <i>for distribution purposes</i> with zero responsibility.<p>Publishing code to Github? Sure, go for it, anyone can do it. Publishing <i>packages</i> to <i>package distributors</i> ? No, that crosses a line. I don&#x27;t <i>want</i> legal requirements, I don&#x27;t <i>want</i> identification requirements, just to publish and distribute code.<p>If we want to avoid that we&#x27;re going to need to step it up - that means, yeah, <i>basic</i> measures like strong 2FA to distribute packages should be a requirement. Signing packages should be a requirement. Acknowledging and triaging vulnerabilities should be a requirement. If you aren&#x27;t willing to do the above, which is frankly trivial, you shouldn&#x27;t be allowed to publish software <i>for distribution purposes</i>.<p>I think we need to start taking a bit more responsibility for the work we do. &quot;NO WARRANTY&quot; doesn&#x27;t mean &quot;No obligations&quot;, it just means no one has a legal right to pursue damages due to your software, you should <i>still do some things</i>.<p>edit: K I&#x27;m rate limited so I can&#x27;t have this conversation with all of you, thanks again Dang