MAR 09, 2022 | US
In Letter to White House, BSA Outlines Recommendations for Open Source Software Security
WASHINGTON – March 9, 2022 – BSA | The Software Alliance today sent a letter to the White House’s National Cyber Director and the Deputy National Security Advisor for Cyber and Emerging Technology outlining 12 recommendations to improve open source software security. These suggestions for the public and private sectors focus on minimizing vulnerabilities in open source software, improving the process of identifying vulnerabilities and developing patches, and expediting the distribution and implementation of patches.
“The log4j vulnerability highlighted the unique challenges of securing open source software. While it’s not realistic to expect any software to be entirely free of vulnerabilities, developers and consumers of open source software can take steps to minimize vulnerabilities and their impact while supporting proactive cybersecurity risk management,” said Henry Young, Director, Policy at BSA | The Software Alliance. “Our recommendations are aggressive but achievable, and we urge the US Government to implement our proposals while working with governments around the world to do the same.”
BSA’s letter includes the following recommendations for making significant improvements in open source software security:
- Developers of open source software should use best practices for developing and assessing software security, such as NIST’s Secure Software Development Framework or the BSA Framework for Secure Software.
- Developers and consumers of open source software should invest in the development and maintenance of open source software they use.
- The US Government should require all colleges and universities that receive federal funds and provide instruction on software development to include appropriate instruction on secure software development processes, secure capabilities, and secure lifecycle management in their curriculum.
- Developers of open source software that have employees should require their employees responsible for developing software to obtain appropriate training on secure development processes, secure capabilities, and secure lifecycle management.
- Developers of open source software should participate in public-private partnership projects that are aimed at implementing and demonstrating secure software development practices.
- Developers of open source software should use best practices for identifying vulnerabilities, coordinating disclosure, and developing patches.
- Developers and consumers of open source software should commit to working together to identify and prioritize the security of the most critical open source software components and the most critical open source software platforms.
- Developers and consumers of open source software should proactively maintain their products and services and have vulnerability identification and management processes that may include periodic automated scans of their software for vulnerabilities contained in up-to-date lists of the most critical software vulnerabilities.
- The US Government, working through the General Services Administration (GSA), should ensure that GSA’s code.gov builds off and is complimentary to the other actions suggested here.
- Developers and consumers of open source software should use best practices for distributing and implementing patches.
- Developers and consumers of open source software should respond to a vulnerability commensurate with the risk it creates.
- Developers of open source software should have a process for considering whether to push out an available patch outside their normal patching schedules.
To read BSA’s full letter, click here.
BSA 소개
소프트웨어 연합(BSA | The Software Alliance, 이하 BSA)(www.bsa.org)은 각국 정부를 대상으로 세계 시장에서 전 세계 소프트웨어 업계를 대변하고 옹호하는 선도적 연합체입니다. 세계의 가장 혁신적 기업들이 회원사로 참여하며 경제에 활기를 불어 넣고 현대의 생활을 향상시키는 소프트웨어 솔루션을 만들어 내고 있습니다.
워싱턴 DC에 본부를 두고, 30개국이 넘는 국가들에서 운영되는 BSA는, 합법적 소프트웨어 사용을 증진시키고 기술 혁신을 촉진하며 디지털 경제의 성장을 추진하는 공공 정책을 지지하는 준법 프로그램들을 선도합니다.