Today, the White House convened government and private sector stakeholders to discuss initiatives to improve the security of open source software and ways new collaboration could rapidly drive improvements. Software is ubiquitous across every sector of our economy and foundational to the products and services Americans use every day. Most major software packages include open source software – including software used by the national security community. Open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance.
Participants had a substantive and constructive discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community. The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities. In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them. In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use. All participants – private sector and government – will continue discussions to support these initiatives in the coming weeks, which are open to all interested public and private stakeholders.
Meeting participants included Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, Office of Science and Technology Policy, the Department of Defense, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, and the National Science Foundation. Private sector organizations joining were Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, VMWare. Meeting participants reflect some but not all of the largest public and private users and maintainers of open source software and Departments and Agencies which will carry this work forward. President Biden has made software security a national priority. His Executive Order on Cybersecurity requires that only companies that use secure software development lifecycle practices and meet specific federal security guidance will be able to sell to the federal government – for the first time, leveraging the purchasing power of the Federal government to drive improvements in the software supply chain, improvements that companies and governments around the world will benefit from.