{"id":2452,"date":"2024-01-30T21:09:11","date_gmt":"2024-01-30T21:09:11","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78949"},"modified":"2024-01-30T21:09:11","modified_gmt":"2024-01-30T21:09:11","slug":"white-house-releases-report-on-securing-open-source-software","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/30\/white-house-releases-report-on-securing-open-source-software\/","title":{"rendered":"White House releases report on securing open-source software"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.7 (Yoast SEO v21.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>White House releases report on securing open-source software | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/white-house-securing-open-source-software\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"White House releases report on securing open-source software\"> <meta property=\"og:description\" content=\"End-of-year report highlights work from Open-Source Software Security Initiative and targets going forward.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/white-house-securing-open-source-software\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-01-30T21:09:11+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706645550g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1706671497\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1706671497\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=b50a7fc68d02387a0cbc\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706671497\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78949\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78949\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwhite-house-securing-open-source-software%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwhite-house-securing-open-source-software%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78949 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/white-house-securing-open-source-software\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.257053291536\">\n<div class=\"single-article__header-content\" readability=\"28.89400921659\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> End-of-year report highlights work from Open-Source Software Security Initiative and targets going forward. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software.jpg?resize=640%2C360&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Computer language script and coding on screen with a man reflection in the background. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.36853589352\"><body readability=\"85.959097320169\"><\/p>\n<p>The White House said it is making progress on its work to better secure open-source software, releasing an end-of-year report that details efforts on a transparent and collaborative software development process that underlines nearly every type of software.<\/p>\n<p>The Log4Shell vulnerability discovered in 2021 laid bare both the ubiquity of open-source code and the potential danger if not properly secured. While open-source software is not inherently more vulnerable than proprietary code, the distributed nature of the development and use of such software can have widespread impact if vulnerable.<\/p>\n<p>\u201cAlmost every software application, website, mobile device, and Internet of Things device \u2014 including those used by small businesses, the Federal Government, and the national security community \u2014 incorporates open-source software to enable and scale rapid application development processes,\u201d the administration <a href=\"https:\/\/www.whitehouse.gov\/oncd\/briefing-room\/2024\/01\/30\/fact-sheet-biden-harris-administration-releases-end-of-year-report-on-open-source-software-security-initiative\/\">noted in the Tuesday report<\/a>.<\/p>\n<p>These unique characteristics lead the administration to champion the securing of open-source software in the <a href=\"https:\/\/cyberscoop.com\/biden-national-cybersecurity-strategy-2023\/\">national cybersecurity strategy<\/a> and subsequent <a href=\"https:\/\/cyberscoop.com\/national-cybersecurity-strategy-implementation-plan-2\/\">implementation plan<\/a> through the Open-Source Software Security Initiative (OS3I), an inter-agency working group.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The end-of-year report goes over the four areas the administration focused on last year through the OS3I: unifying the federal government\u2019s voice on open-source software security, establishing a strategic approach to secure such software, encouraging long-term investment, and engaging and building trust with the open-source community.<\/p>\n<p>According to the report, one major roadblock is promoting best practices for secure development in open-source projects, since the entire process is often decentralized and voluntary. A <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CSRB-Report-on-Log4-July-11-2022_508.pdf\">report of the Log4Shell incident<\/a> by the <a href=\"https:\/\/cyberscoop.com\/csrb-hearing-authority-transparency\/\">Cyber Safety Review Board<\/a> noted that open-source projects \u201cgenerally do not have dedicated coordinated vulnerability disclosure and response teams that investigate root causes of reported vulnerabilities and work to bring them to resolution.\u201d<\/p>\n<p>Another concern is that due to the ubiquitous nature of open-source code, many companies don\u2019t even know what they have when there is a major vulnerability or when they suffer a zero-day exploitation, the report notes. Even now, versions of the vulnerable Apache Log4j software are still being found, <a href=\"https:\/\/www.theregister.com\/2023\/12\/11\/log4j_vulnerabilities\/\">years later<\/a>. Additionally, companies often profit from the work of these voluntary projects without contributing back either through funds of other resources, leaving key projects under-resourced.<\/p>\n<p>\u201cEfforts to secure open-source software are challenged by a range of factors, including decisions within companies to reserve security-related features for commercial products built upon open-source software, inconsistent contributions to help sustain open-source software projects from corporate consumers, and the decentralized ownership and varied development processes of open-source projects, with contributions coming from entities with varying resources, capabilities, and priorities,\u201d the report states.<\/p>\n<p>Last year, the National Science Foundation penned a \u201c<a href=\"https:\/\/www.nsf.gov\/pubs\/2023\/nsf23149\/nsf23149.jsp\">dear colleague letter<\/a>\u201d encouraging proposals to secure the open-source software ecosystem. The Cybersecurity and Infrastructure Security Agency in September <a href=\"https:\/\/cyberscoop.com\/openssf-open-source-security-summit\/\">published its own roadmap<\/a> to secure open-source in the federal government and broader ecosystem. CISA has leaned heavily on promoting both memory-safe languages to drastically reduce the number of vulnerabilities and software bill of materials.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The administration also released a request for information on open-source software security, asking for expert opinions on securing open-source software<\/p>\n<p>The White House report notes that the OS3I will continue in 2024 by \u201ctaking stock of the research and information submitted through the RFI to inform future OS3I workstreams and priority actions.\u201d<\/p>\n<p>Additionally, the administration will \u201ccontinue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.\u201d<\/p>\n<p>The OS3I will also continue to reach out to the community to \u201cidentify and highlight policy solutions that improve the security of the open-source software ecosystem.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.530487804878\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/white-house-releases-report-on-securing-open-source-software-1.jpg?w=640&#038;ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&amp;E News at POLITICO covering cybersecurity in the energy sector. Reach out:&nbsp; christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/white-house-securing-open-source-software\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>White House releases report on securing open-source software | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,117,1073,639],"tags":[454,119,1076,641],"class_list":["post-2452","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-government","category-open-source","category-white-house","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-government","tag-open-source","tag-white-house"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/white-house\/\" rel=\"category tag\">White House<\/a>","tag_info":"White House","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2452"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2452\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}