The Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) made recommendations to the Office of the National Cyber Director (ONCD) regarding the security of open-source software (OSS) in comments submitted to that office on Oct. 3rd, 2023. 

The United States Government sees the security, sustainability, and health of the OSS ecosystem as a national public priority.

Following the exploitation of the Log4Shell vulnerability, the ONCD established the Open-Source Software Security Initiative (OS3I) interagency working group. OS3I is charged with channeling government resources to improve OSS security.

M³AAWG’s comments in response to the Request for Information (RFI) on Open-Source Software Security will help to further the work of OS3I by identifying areas most appropriate to focus government priorities.

Open-source software is software that is released and distributed with the source code offered openly and with the understanding that others can change the code.

Software development becomes faster, cheaper, and more scalable with contributions from the open-source community. This collaborative environment can support both code quality and security. Software testing tends to be thorough and open-source elements are available for any developer to scrutinize for security flaws. It’s no surprise then that 80%-90% of all current software solutions include at least some open-source elements within their builds.

The Security Challenge: A Tiny Number of Developers and Maintainers for an Enormous OSS Ecosystem

What is good about OSS is also bad. The ubiquitous nature of OSS is driving increased vulnerabilities as the small community of contributors (often unpaid volunteers) pales in comparison to the enormous digital infrastructure they are charged with maintaining. Resources, support, and experience have been extended beyond reasonable capacity.

Many projects are not resourced sufficiently to provide reasonable assurance for code security, be this in terms of developer time, skill, or monetary resources. The volume and frequency of OSS code contributions can overwhelm those responsible for code review. Malicious updates can hide in updates (as well as genuine mistakes); this risk is particularly pronounced when maintainers are inexperienced.

The unpaid and overworked (and sometimes inexperienced) nature of the OSS developer and maintainer community creates risks that can stifle the innovative process. Their limited numbers may also mean software code libraries used in the development of many important projects may be abandoned later.

Malicious actors can exploit all these vulnerabilities. Open-source attacks by malicious actors are not new but their types and long-term funding have increased. Also, the selling, sharing, reuse, and compromise of developer credentials can lead to arbitrarily trusting an actor for which prior submissions were substantially supported but now contain malicious code.

M³AAWG has been working within the collaborative international security and privacy communities to monitor and address technical concerns with malicious actors, their abuse of technology, their methods, and their footprints. The goal is to stop the disruptions created by malicious acts while enabling the legitimate use of internet technologies.

Priorities for OS3I Focus: Improving OSS Security through Incentives, Education and Support

M³AAWG believes the U.S. Government, through OS3I, can improve OSS security in the following ways:

• Provide education programs highlighting the risks associated with the open-source supply chain including ways to mitigate those risks with best practices.
• Offer public recognition and economic incentives to encourage the use of Supply-chain Levels of Software Artifacts (SLSA) Version 1.0. This security framework detects tampering and traces software back to its source.   
• Increase the number and effectiveness of malicious actor prosecutions.
• Limit legislation expanding product liability onto open-source developers.
• Conduct research into software monoculture threats and economic incentives driving consolidation to a single set of tools like Log4J or OpenSSL which, when compromised, have broad impacts. Where can diversity in tooling make an impact?
• Ensure OSS developers have access to a full range of tools that can be used to probe and review code security, including proprietary software testing tools.
• Support a standards-based approach to interoperability to bridge the proprietary/open-source schism.
• Support community events focused on secure coding, security testing, and interoperability.
• Recognize the critical role unpaid volunteer work plays in open-source development.
• Policy solutions should consider the General Public License (GPL) and Berkeley Software Distribution (BSD) families of licensing.

Additional recommendations are included in the full report available on the website.

M³AAWG has commented on various public policy initiatives over the years and you can visit the Public Policy section on the M³AAWG website for more information.

M³AAWG is a technology-neutral global industry association. Our approach to internet abuse focuses on operational issues where we can collaborate with industry, leverage technology, and shape public policy. With over 200 institutional members worldwide, we bring together stakeholders in the online community in a confidential yet open forum, developing best practices and cooperative approaches in the fight against online abuse.