Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
Politics
posted by janrinok on Wednesday September 28 2022, @05:10PM   Printer-friendly
from the homespun-security dept.

US Senators Gary Peters (D-MI) and Rob Portman (R-OH) introdced S.4913 - Securing Open Source Software Act of 2022 the other day. It has been read twice and referred to the Committee on Homeland Security and Governmental Affairs. Here is the US Senate's press release:

U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help protect federal and critical infrastructure systems by strengthening the security of open source software. The legislation comes after a hearing convened by Peters and Portman on the Log4j incident earlier this year, and would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others. A vulnerability discovered in Log4j – which is widely used open source code – affected millions of computers worldwide, including critical infrastructure and federal systems. This led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen.

[...] The overwhelming majority of computers in the world rely on open source code – freely available code that anyone can contribute to, develop, and use to create websites, applications, and more. It is maintained by a community of individuals and organizations. The federal government, one of the largest users of open source software in the world, must be able to manage its own risk and also help support the security of open source software in the private sector and the rest of the public sector.

The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.

-- Peters and Portman Introduce Bipartisan Legislation to Help Secure Open Source Software

Software freedom is not named explicitly in their definition as far as their diff^wtext goes. Nor are the free-of-charge, royalty-free aspects mentioned. Yet the text of S.4913 nevertheless seems to be a nod in the direction of Free Software:

(5) OPEN SOURCE SOFTWARE.β€”The term 'open source software' means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution.

Behind the scenes, representatives from Microsoft appear to be milking the log4j circus for gain as shown by multiple other articles, not linked to here, and their vastly increased activity and presence in DC.

Overall, the legislative process needs to find a way to use versioning software so that all the "inserting before ...", "inserting after ...", "redesignating paragraphs ...", and other modifications can be easily processed and the current draft easily visible. However, that's not as simple as opening an account on GitLab or Src.ht and letting m$ and the rest of the world hammer at it unauthenticated and uncurated.

Previously:
(2022) The US Military Wants To Understand The Most Important Software On Earth
(2021) 'The Internet's on Fire': Techs Race to Fix Major Cybersecurity Software Flaw


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by SomeRandomGeek on Wednesday September 28 2022, @10:46PM

    by SomeRandomGeek (856) on Wednesday September 28 2022, @10:46PM (#1274113)

    To be used by the (US Federal) government, software must comply with certain rules, many of which relate to security. I have been through the process to make closed source software comply with the rules. I can say from experience that the compliance process tends to improve improve security significantly (for a commercial product where security was an afterthought at best.) But it does not produce the same level of security as a "security first" mentality. And it's a huge pain in the ass. Because of this, I think it is in the interest of the government to pay to make compliant forks of open source projects that they are interested in. But I don't think it is really in the interest of the maintainers of those projects to make the trunk compliant. It's too expensive (in terms of slowing down their development) for the security benefits it brings in. It is probably in everyone's best interest for the government to pay the maintainers to fix security bugs upstream rather than to try to fix them themselves in their fork.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3