Earlier this year, the open-source community came under the scrutiny of a US Senate committee investigating a serious vulnerability in Log4j, a widely used, Java-based logging utility. Government experts say the vulnerability, called Log4Shell, was one of the most severe and widespread cybersecurity risks they've ever seen. The question is what to do now about security risks in open-source software—if anything.
"This bug, which can be exploited by only typing in 12 characters, can allow cyber criminals and foreign adversaries to remotely access critical American networks," Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Michigan) said at the February hearing.
Although billed as an information-gathering exercise, the public forum caused some discussion in open-source and security circles about whether government concerns over open-source software could lead to its regulation.
"The recent Log4j open-source software vulnerability is yet another example as to why safeguarding open-source software is critical," said Slava Bronfman, CEO and co-founder of Cybellum, a cybersecurity platform maker located in Tel Aviv, Israel.
'Misguided' assumptions about open-source security
"There has long been a misguided assumption that open-source software is secure because so many people have access to it and are using it in their projects, so any security issues would have been resolved," Bronfman added. "But while this may be true in some cases, it is not a standard that can be relied upon."
"There is a strong possibility that the topic of regulation will surface," said Purandar Das, CEO and co-founder of Sotero, a data protection company in Burlington, Massachusetts. "However, the challenge will be in trying to corral what has traditionally been an unregulated and self-regulated community."
The open-source community "has taken pride in operating in a nontraditional manner, with self-governance," he added. "The community polices itself, and that, to a large degree, is its appeal: contributing meaningfully to a broader cause without regulations."
The risk though, as with any community involvement, is that "various other factors can influence the participants," he said. "As we recently saw, a piece of code that specially targeted Russian computers was introduced into an open-source stack. The drivers behind that were obvious. It was a way of protesting and trying to make an impact for a cause."
Open-source regulation: Good idea, or not so much?
Cybellum's Bronfman argued that regulating open-source software is not only a good idea, but also a critical measure for safeguarding products and systems that use such code. But, he added, for the regulation to not hamper open-source innovation, "it should be focused on the organizations using the code, and they should be required to share vulnerabilities that they discover" back to the broader open-source community.
However, Jennifer Fernick, senior vice president and global head of research at the NCC Group, a cybersecurity risk and mitigation company in Manchester, UK, believes government regulation of open-source software would be a bad idea. "Regulating open source is like regulating street art. You might have compelling reasons for doing it, but whether you can successfully do it is a whole other question," she said.
Typically, she said, regulation is used when something needs to be done but when there are "insufficient market forces to encourage companies to make those investments that are needed for the good of the ecosystem or the good of society," she explained. "Open source is different from that. It isn't a specific company investing in a specific product. It's a collaboration between volunteers all over the world with different skill sets and motivations" and different degrees and types of corporate support.
She acknowledged that security can be inconsistent among open-source projects. "Some open-source projects are very security-minded, even paying companies to do security audits," she said. "They run security scans against their infrastructure. They have security teams. They have people reviewing the code. They do a lot of different things to try and shake out as many vulnerabilities as possible before things go into production."
"On the flip side, there is a tremendous number of open-source projects that have gaps," she continued. "That's quite reasonable. We can't blame open-source maintainers for that. They're volunteers building passion projects and features they're really interested in. It's not a norm in our education system that developers are taught how to do secure coding."
Partnership without regulation
Fernick said that the treatment of open-source software in President Joseph Biden's executive order on cybersecurity is a good example of government involvement in open-source security. "Rather than regulating the open-source software maintainers, which would not be a great plan, it is looking at regulating vendors' use of open-source components, which could be a very good idea," she explained.
The order talks about creating guidance and standards that ensures and tests, where possible, the integrity and provenance of open-source software used in any portion of a product. "Basically, that says that you need to know as a vendor what software you're consuming and whether it's been tampered with and where it came from," Fernick said.
"When we talk about regulation and open source in the context of the Biden executive order," she continued, it is more about vendors "just pulling code off the Internet" that may be full of vulnerabilities.
"What they're basically saying is, 'If you want to sell to the government, here are the new rules you need to start to follow,'" said Josh Bressers, vice president of security at Anchore, a software development security company in Santa Barbara, California. "They don't apply directly to open-source software. They apply to the company using open source to build its product. That's perfect."
"It creates a nice environment where everyone is working together in the right direction versus the government or industry telling open source what it has to do," he said.
Hands off going forward?
Bressers was optimistic about the government maintaining a hands-off approach toward open-source software. He said that he was impressed by lawmakers' attitudes at the Senate hearing. "Instead of trying to take control of any of this or blame anybody for what had happened, there was a real message of working with open source—a partnership of commercial, government, and community," he said. "That was fantastic."
"After an incident like Log4j, I always have concerns over some misguided regulation," he said. "After that hearing, I no longer have those concerns."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.