By Bill Ledingham
As government agencies increasingly leverage the power of open source software (OSS), they are faced with the challenge of effectively managing OSS Logistics, as is the case for many other organizations in various industries across the globe.
OSS Logistics, put simply, is the remediation of security vulnerabilities, as well as legal and operational risks associated with the use of open source. When new vulnerabilities such as Heartbleed—a vulnerability in OpenSSL, and Shellshock—a vulnerability in the widely used Unix Bash shell, come to light, organizations need to know immediately if they were impacted and if so, where specifically they may have deployed software or applications containing these vulnerabilities. If they don’t, well, the effects can be devastating.
It is estimated that Heartbleed alone impacted a full two-thirds of active websites. Further, since its discovery in April 2014, an additional 24 vulnerabilities have been reported in OpenSSL. This is definitive proof that the discovery of open source vulnerabilities is not just a onetime event, but represents an ongoing threat to the critical infrastructure of the U.S.
Last December, U.S. Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced the “Cyber Supply Chain Management and Transparency Act of 2014” (H.R. 5793) that would require the production of a Bill of Materials (BOM) for all third party and open source components by “all contractors of software, firmware, or products developed for or purchased by the U.S. government.”
To help organizations, specifically in the government sector, understand the intentions and purpose of this proposed bill, I’ve outlined the problem, solution, and what to expect next.
The federal government has long recognized the challenges inherent in supply chain management, especially as embodied in both military and federal procurement and multi-tier contracting. The biggest hurdle this poses for government suppliers is having the ability to produce comprehensive software BOM against which they can map known, unknown, and newly discovered vulnerabilities. This is critical to assess exposure and track remediation efforts over time.
Further, the bill seeks to put a process in place for tracking physical supplies and inventory/parts lists. The challenge is that the same level of visibility does not exist for software. One third of the software in use is open source; therefore, knowing what OSS you have is critical. As with any new regulation, there will be pushback from organizations that will be impacted by the increased reporting requirements.
The good news is that many software companies already have sophisticated solutions and processes in place to address this issue. These solutions enable the scanning of software to identify open source and third party code and to map vulnerabilities directly to those components. Thus, the development of new technology is not necessary for software vendors to meet the provisions of the bill— they merely need to implement existing solutions if they have not already done so.
The language in the Cyber Supply Chain Management and Transparency Act of 2014 is an acknowledgement that open source constitutes a critical resource, and provides a clear indication of the key role OSS plays and will continue to play in government IT operations. The bill is a positive first step in establishing transparency, which is a critically valuable and reachable goal. By complying with the new legislation, federal government contractors will know exactly what is in their code and be able to proactively address any issues upon discovery.
As with most pieces of legislation, parties will line up on both sides of the issue. For example, software companies that have not already put solutions in place for understanding the OSS contained within their products will oppose the legislation. To these organizations, the bill represents additional compliance and reporting requirements, i.e., cost. In addition, H.R. 5793 is one of several pieces of proposed legislation involving cybersecurity and data privacy. While there is strong momentum and a desire for quick action, the outcome is far from clear. Given the overall scope of what is being proposed and considered, it’s likely to generate months of discussion and debate before anything is passed, with compromises and permutations along the way. In the best case scenario, the merits of H.R. 5793 will stand on its own.
Even with recent high-profile security breaches at Sony Pictures and Anthem and the flood of attention accompanying them, H.R. 5793 still has some high hurdles to clear before passing. Even so, the fact that cybersecurity and open source vulnerabilities have penetrated discussions within the tech, business, and media landscape is a major win in itself for advocates of proper security planning and OSS Logistics. Only time will tell if associated legislation will pass before the next disaster hits. SW
Bill Ledingham is the CTO/EVP of engineering at Black Duck Software.
“Cyber Supply Chain Management and Transparency Act of 2014” (H.R. 5793)