Friday, April 7, 2023

Review - S 917 Introduced – CISA and Open-Source Software

Last month Sen Peters (D,MI) introduces S 917, the Securing Open Source Software Act of 2023. The bill establishes several areas of responsibility for CISA regarding open-source software security. No funding is authorized in the bill. This bill is very similar to S 4913 that was introduced by Peters last session. That bill was reported by the Senate Homeland Security and Governmental Affairs Committee, but no further action was taken.

Moving Forward

Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This should ensure that the Committee once again takes up the bill. It will likely pass, as it did last session, with strong bipartisan support. The earlier bill did not make it to the floor of the Senate last session, but that was, at least in part, due to its relatively late introduction. It is unlikely that this legislation would be taken up under regular order due to time and politics constraints. So, it would have to be considered under the unanimous consent process or added to some must pass bill as an amendment. Both options face political constraints that would have nothing to do with the merits or general support of the bill.

Commentary

The unique problem with open-source software is not that it is ‘poorly written' (the multiple vulnerabilities from poor coding practices are found in software from ‘closed sources’ as well as open-sourced software). No, the problem with many of the smaller libraries that are source for so many vulnerabilities, is that there is little support for correcting the problems when they are identified.

What might be more helpful is that if CISA were given the authority to fund internships with open-source creators of selected critical open-source components that have minimal support available. Identifying the critical components will become easier as SBOM requirements become more common but identifying the authors that would be willing to accept government sponsored interns might be a challenge. Oversight of such internships would also be a challenge. But this could provide immediate support for challenged authors, as well as broadening the scope of those familiar with the details of the critical software.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-917-introduced - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */