The modern software supply chain relies pervasively on open source software (“OSS”) for both underlying components and operation. The ability for organizations (including companies and governments) to innovate faster, and at a higher level of quality, is often linked to their adoption of OSS components. Roughly 70-90% of any software “stack” consists of OSS1,2. That shared benefit also comes with shared risk in the form of exposure to vulnerabilities in those OSS components.
Vulnerabilities and weaknesses in widely deployed software present systemic threatsto the security and stability of modern society as government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software inorder to function.
The software supply chain is complex and as susceptible to disruption and corruption as any physical supply chain. While the private sector constantly invests in protecting the software supply chain via standards, shared services, and solutions to reduce risk of both inadvertent errors and intentional attacks, just as with physical infrastructure (ports, power grids, telecommunications networks, etc) the public sector can and should play a role in hardening the systems. The public and private sectors must work together to meet the collective security and safety needs of citizens and stakeholders, facing even greater challenges in addressing these threats.
While there are considerable ongoing efforts to secure the OSS supply chain, to achieve acceptable levels of resilience and risk, a more comprehensive series of investments to shift security from a largely reactive exercise to a proactive approach is required. Our objective is to evolve the systems and processes used to ensure a higher degree of security assurance and trust in the OSS supply chain.
This paper suggests a comprehensive portfolio of 10 initiatives which can start immediately to address three fundamental goals for hardening the software supply chain. Vulnerabilitiesand weaknesses in widely deployed software present systemic threats to the security and stability of modern society as government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software in order to function.
With OSS we have the ability to directly and systematically mitigate the risks associated with OSS use that we do not have with proprietary software. This is due to the availability of theunderlying source code, the way most development teams do their work in the open, and the significant amount of cross-project reuse of components and concepts.
Views: 0
