Search results
the Open Source Definition (OSD), and prevented abuse of the ideals and ethos inherent to the open source movement. Our 2022 plans include: • Reinforce how we publish and review licenses to improve transparency • Increase engagement with standards-setting organizations to defend open standards
Nov 18, 2022 · The framework will provide guidance on: Identifying open source components. Securing software development life cycle processes. Creating SBOMs that provide an inventory of components, versions...
- What Is The Securing Open Source Software Act About?
- What Is The Rationale Behind This Act?
- What Will The Legislation do?
- What Are The Next Steps?
- What’s Our take?
- Summary of Draft Securing Open Source Software Act of 2022
On 21st September 2022, U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation, the Securing Open Source Software Act(the “Act”), to help protect federal agencies and critical infrastructure systems by strengthening th...
The Securing Open Source Software Act is in response to the Log4Shell vulnerability discovered in late November 2021. A subsequent hearing on Log4Shelldiscussed key findings and learnings, which focused on the practical challenges of security that apply to all software, not just open source. In a written statement at the hearing, Senator Peters, Ch...
Open Source Focus for CISA
As introduced, the bill would give new responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency responsible for strengthening cybersecurity and infrastructure protection. The legislation requires CISA to hire professionals with expertise in the open source community “to the greatest extent practicable” and allows CISA to establish a Software Security Advisory Subcommittee, which covers open source security, within CISA’s Cybersecurity Advisory Commit...
Open Source Risk Assessment Framework
CISA would produce an initial assessment framework for handling open-source code risk, incorporating government, industry, and open source community frameworks and best practices from software security. Using this framework, CISA would perform an automated analysis of open source software components used by federal systems no less than every two years. Finally, CISA would establish a pilot program to consider doing a similar analysis for non-federal critical infrastructure systems.
Federal Agency OSPOs
Finally, the Act would establish a pilot program to establish an Open Source Program Office(OSPO) within at least one Federal agency, which would be modeled on existing OSPOs from the private sector, nonprofits, and academia. Additionally, the Office of Management and Budget (OMB) would issue guidance for Chief Information Officers at each Federal agency on how to contribute to and manage risks for open source software, considering industry and community best practices. For more information,...
This proposed legislation is the latest signal from Congress around cybersecurity within the federal government. There has been a tremendous focus, starting with the May 2021 White House Executive Order on Improving the Nation’s Cybersecurityand its focus on lifecycle management practices within federal agencies. It’s possible that the bill may be ...
It’s very encouraging to see Congress taking affirmative steps to address cybersecurity challenges in the software supply chain. The US Congress’ focus on the critical role open source software plays matches the White House’s focus on these issues. Some of the ideas sound familiar to us – for example, the use of Software Bill of Materials (SBOMs), ...
The draft Actwas introduced on September 22, 2022. The draft states its purpose is to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security. CISA is an operational division within the Department of Homeland Security. CISA coordinates as one of the Federal agencies...
- The White House hosts open-source security summit. In January, The White House convened government and private sector stakeholders to discuss initiatives to improve the security of open-source software and new approaches to collaboration to drive improvements.
- OpenSSF,Linux Foundation publish Open Source Software Security Mobilization Plan. In May, the OpenSSF and the Linux Foundation published The Open Source Software Security Mobilization Plan, outlining a 10-stream strategy with steps for immediate and long-term improvements within open-source software for both underlying components and operation.
- JFrog introduces Project Pyrsia to secure open-source software packages, binary code. In May, JFrog announced the launch of Project Pyrsia, a decentralized, secure build network and software package repository that uses blockchain technology to secure open-source software packages from vulnerabilities and malicious code.
- OpenUK launches Summer of Open Source Security. In June, OpenUK launched the Summer of Open Source Security, a two-month-long initiative featuring events, talks, and podcasts dedicated to open-source software security and supply chain management.
The leading voice on the policies and principles of open source Protecting the Open Source ecosystem. We support institutions and individuals working together to create communities of practice in which the healthy open source ecosystem thrives.
Nov 30, 2023 · How should open source software security solutions be implemented from a technical and resourcing perspective? Potential areas of focus they sought input on to address these questions included: Secure open-source software foundations; Sustaining open source software communities and governance
People also ask
What is the Open Source Initiative?
What is the Open Source Initiative (OSI)?
What is the Open Source Security Act?
Does open source software have a vulnerability?
Does CISA have an open source security advisory committee?
Why is open source software important?
The Open Source Initiative (OSI) is a California public benefit corporation, with 501(c)3 tax-exempt status, founded in 1998. We are also actively involved in Open Source community-building, education, and public advocacy to promote awareness and the importance of non-proprietary software.
