> The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.
So basically just another framework to evaluate risk for use by the Federal Government. A nothing burger as it were. Which I am on one hand glad about, because I don't like the government starting to get involved in Open Source which is at it's core "Here's some code I wrote or whatever", but it also isn't doing anything for security.
Not a complete nothing burger; a lot of people here work for companies that sell to the Feds or host FedRAMP-authorized SaaS solutions. There will definitely be private-sector impact from that risk framework, though I'm not saying that's necessarily a good or a bad thing.
“The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability.”
So we should definitely expect at least some minute changes to the open source economy, itself.
This is the worst part. "Experience developing open source software" is both entirely vague and specific at the same time, likely conjuring up an image of some developer with green boxes on a GitHub repo or something, which is terrible. This is going to force the creation of some sort of silly criteria for what constitutes that experience, of which suits in federal agencies, and the political pressure and politicians they are behest to, will likely have no concept of less-popular open source communities, which will detract from the ethos of open source and ultimately, and more importantly, freedom.
It sounds innocuous enough, but could the real motivation be to make open source software so expensive to use that all government agencies "choose" to use closed source software?
(This is a genuine question, I'm honestly not sure what the consequences, intended or otherwise, could be?)
Nah. You'd just need to use the old versions that had gone through a security audit and had some enterprise level Long Term Support contracts available.
IBM will offer quotes for whatever is required within 2 quarters or less.
That could happen. One of the easiest ways of handling the situation would be to sign an agreement with an organization like Tidelift, who pass money on to OSS projects to keep handling the dev work.
the legislation seems a little pointlessly broad. "open source" is just software at the end of the day so it can easily be covered by existing STIG guidelines. these already work with Ubuntu and Redhat.
Open source doesnt need a special response process, and the only reason you'd want one is if youre old guard like Symantec, F5, VMWare, or Veritas and starting to become alarmed at the amount of business you're losing to open source now that "devops" is starting to catch on and a recession is in effect.
This will result in "we can't use open source because the boss doesn't want to deal with the paperwork. We'll get John from X massive company on the phone and license their version."
Imagine a job where all you do is meetings, and never have to deliver anything. That dream is a reality in government. There's a problem with something? Let's make a committee. Let's create paperwork. But now we're managing more things, so we get bumped up to a more prestigious position. - this goes on and on.
It operates despite inefficiency. Because it's artificially propped up by tax dollars. No one is responsible, it's free money.
I'm really curious how this would have protected the government from log4shell. Log4j is (or at least was) one of the more reputable open source projects.
This kind of feels like doing something for the sake of doing something about log4shell, without actually solving any problems. And will undoubtedly result in the government paying more taxpayer dollars for software that complies with this new framework.
It sounds extremely similar to the executive order from Biden last year. For what it's worth, I think some parts of that are valuable such as productive a bill of materials for all the software that gets shipped. That way figuring out of if some product uses a vulnerable version of log4j is very simple and independent of particular programming languages.
> The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.
So basically just another framework to evaluate risk for use by the Federal Government. A nothing burger as it were. Which I am on one hand glad about, because I don't like the government starting to get involved in Open Source which is at it's core "Here's some code I wrote or whatever", but it also isn't doing anything for security.