'Securing Open Source Software Act' introduced to US Senate

[jrochkind1]

"securing open source software act" would rationally mean funding the NSA or similar experts to help harden open source software, right? Or, hey, telling the NSA to disclose vulnerabilities they find in open source software so they can be patched, instead of sitting on them hoping nobody else notices. Right? No? Wait, what? It's just about telling the federal government to use less open source software? How does that make open source software more secure?

[kube-system]

You're just attacking the title. The description doesn't demonize OSS at all, it praises it.

Risk frameworks are important, but they're not something you need the NSA to help you accomplish.

It doesn't take the NSA to do things like:

"Make a list of dependencies"

"Make sure that they have active developers"

"Check the list of dependencies for vulnerabilities"

"Look in the commit history to make sure one doesn't say 'People's Liberation Army -- implementing backdoor'"

[jrochkind1]

Right, but it's focused on helping the government decide what open source not to use, rather than on actually making open source more secure.

[kube-system]

The risk framework isn’t written yet, this just directs CISA to write one. While evaluating dependencies is often a part of what you’d do in a risk framework, it’s typically just one part.

[transpute]

A good move would be increasing funding for defensive security teams at NSA, especially those working on open-source software, and restoring the separation of governance/leadership between defensive and offensive security teams.

[frozencell]

> ? Or, hey, telling the NSA to disclose vulnerabilities

To not disclose them is an opportunity to legit spy whatever using scapegoats (ie. North Korea hackers did that, etc.) and to legit sue or accuse enemies of using them (if they fix it, attackers won't attack).