Wednesday, September 28, 2022

Review - S 4913 Introduced – CISA and Open-Source Software

Last week, Sen Peters (D,MI) introduced S 4913, the Securing Open Source Software Act of 2022. The bill establishes several areas of responsibility for CISA regarding open source software security. No funding is authorized in the bill. The Senate Homeland Security and Governmental Affairs Committee is scheduled to take up the bill today.

Moving Forward

Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This explains why that Committee is taking up the bill tomorrow in a markup hearing. The bill is one of 24 that will be considered in that hearing, so little discussion is expected. Amendments may be considered, with most having been worked out in advance so that the Committee will be able to adopt most of the amendments proposed.

I do not see anything in this bill that should engender any organized opposition. I suspect that there will be bipartisan support for the bill since it provides the appearance of doing something about open-source software security. The big problem is that there is little time to move this bill beyond the Committee markup, unless the bill can be successfully considered under the unanimous consent process or added to one of the must pass bills that have yet to be taken up.

Commentary

The unique problem with open-source software is not that it is ‘poorly written' (the multiple vulnerabilities from poor coding practices are found in software from ‘closed sources’ as well as open-sourced software). No, the problem with many of the smaller libraries that are source for so many vulnerabilities, is that there is little support for correcting the problems when they are identified.

What might be more helpful is that if CISA were given the authority to fund internships with open-source creators of selected critical open-source components that have minimal support available. Identifying the critical components will become easier as SBOM requirements become more common but identifying the authors that would be willing to accept government sponsored interns might be a challenge. Oversight of such internships would also be a challenge. But this could provide immediate support for challenged authors, as well as broadening the scope of those familiar with the details of the critical software.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4913-introduced - subscription required.


No comments:

 
/* Use this with templates/template-twocol.html */