Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, and other key government authorities received a proposal that large corporations have promised to fund and support in order to secure the open source software that underpins their technology.
The plan, for example, emphasises the necessity to eliminate non-memory safe coding languages in order to increase open source security production. Languages like Cobol and C++ are faster and more efficient, but they are more vulnerable to specific flaws.
Identifying and auditing specific libraries, as well as sending incident response teams as needed, would all be part of the plan, which would be made easier by tools like a standardised software bill of materials.
Debates over who is responsible for what in a secure software development process, as well as how to appropriately structure incentives, have been simmering for years. The National Institute of Standards and Technology has produced and updated a number of new guidance materials for agencies and other enterprise clients to safeguard their software supply chains in compliance with Executive Order 14028. More work on the obligations of supply chain providers, such as those who produce core information and communications technology, is on the horizon, according to the agency.
Brian Behlendorf, general manager of the Open Source Security Foundation, testified before the House Science Committee on Wednesday about the importance of addressing security of open source libraries serving the internet’s routing system in the context of prioritising where the open source software community should focus its attention.