Last week, Cisco’s Head of Open Source, Stephen Augustus, and I joined nearly 100 executives from 37 companies and leaders from the White House and across the U.S. federal government in Washington DC at the Open Source Software Security Summit II to finalize an action plan to boost the security of open source software (“OSS”). The development of this plan and its effective implementation are vital given how foundational OSS is to so many products and services we use every day to live, work, learn, and play.
Even so-called “proprietary technologies” typically include sizeable blocks of open source code. This is beneficial from an economic standpoint and potentially from a security perspective as well because it does not require the same functions to be developed over and over again. Instead, new developers can build upon and remix what was done before them. Yet the varied benefits of OSS for everything from government services to critical infrastructure carry accompanying risks. This shared resource requires shared investments of time and energy.
Recent security incidents involving flaws found in widely used open source code, such as the Log4j library, illustrate the problem. While many aspects of open source code development are unlocking new innovations and spurring creativity—there are shared elements of dependency in which we have collectively and chronically underinvested as a society.
This summit—and a prior one hosted at the White House in January—led to the development of a 10-point action plan with three major goals: 1) secure OSS production by focusing on preventing security defects and vulnerabilities in code and open source packages, 2) improve the process for vulnerability discovery and remediation, and 3) shorten the ecosystem patching response time for distributing and implementing fixes.
As a significant consumer of and contributor to OSS, Cisco is already committing significant investments in time and resources to improve the security of widely-used OSS projects. Cisco looks forward to joining peer companies in partnership with government to deliver on this plan.