WASHINGTON – March 9, 2022 – BSA | The Software Alliance today sent a letter to the White House’s National Cyber Director and the Deputy National Security Advisor for Cyber and Emerging Technology outlining 12 recommendations to improve open source software security. These suggestions for the public and private sectors focus on minimizing vulnerabilities in open source software, improving the process of identifying vulnerabilities and developing patches, and expediting the distribution and implementation of patches.

“The log4j vulnerability highlighted the unique challenges of securing open source software. While it’s not realistic to expect any software to be entirely free of vulnerabilities, developers and consumers of open source software can take steps to minimize vulnerabilities and their impact while supporting proactive cybersecurity risk management,” said Henry Young, Director, Policy at BSA | The Software Alliance. “Our recommendations are aggressive but achievable, and we urge the US Government to implement our proposals while working with governments around the world to do the same.”

BSA’s letter includes the following recommendations for making significant improvements in open source software security:

1. Developers of open source software should use best practices for developing and assessing software security, such as NIST’s Secure Software Development Framework or the BSA Framework for Secure Software.
2. Developers and consumers of open source software should invest in the development and maintenance of open source software they use.
3. The US Government should require all colleges and universities that receive federal funds and provide instruction on software development to include appropriate instruction on secure software development processes, secure capabilities, and secure lifecycle management in their curriculum.
4. Developers of open source software that have employees should require their employees responsible for developing software to obtain appropriate training on secure development processes, secure capabilities, and secure lifecycle management.
5. Developers of open source software should participate in public-private partnership projects that are aimed at implementing and demonstrating secure software development practices.
6. Developers of open source software should use best practices for identifying vulnerabilities, coordinating disclosure, and developing patches.
7. Developers and consumers of open source software should commit to working together to identify and prioritize the security of the most critical open source software components and the most critical open source software platforms.
8. Developers and consumers of open source software should proactively maintain their products and services and have vulnerability identification and management processes that may include periodic automated scans of their software for vulnerabilities contained in up-to-date lists of the most critical software vulnerabilities.
9. The US Government, working through the General Services Administration (GSA), should ensure that GSA’s code.gov builds off and is complimentary to the other actions suggested here.
10. Developers and consumers of open source software should use best practices for distributing and implementing patches.
11. Developers and consumers of open source software should respond to a vulnerability commensurate with the risk it creates.
12. Developers of open source software should have a process for considering whether to push out an available patch outside their normal patching schedules.

To read BSA’s full letter, click here.