Legislation seeking to address open source software risks in government has been introduced by Sens. Gary Peters, D-Michigan, and Rob Portman, R-Ohio.

The “Securing Open Source Software Act of 2022” legislation comes after a hearing convened by Peters and Portman on the Log4j incident earlier this year. The legislation would direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate how open source code is used by the federal government, as well as evaluate how the same framework could be used by critical infrastructure owners and operators to further identify vulnerabilities in open source.

In addition, the legislation calls on CISA to recruit individuals with expertise and experience in open source software, to perform outreach and engagement to bolster open source software security, support Federal efforts to strengthen both open source and supply chain security efforts.

The legislation also requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.

Tim Mackey, Principal Security Strategist at the Mountain View-based Synopsys Cybersecurity Research Center, says, “Managing open source software is fundamentally different from managing commercial software — whether that software is off-the-shelf or created based on a contract. Properly securing open source software requires an understanding of this and other realities for how open source enters organizations like the US government. The Open Source Software Act of 2022 recommends many activities that are traditionally the responsibility of an Open Source Program Office (OSPO). For example, it is the responsibility of an OSPO to determine what open source risks are acceptable for an application and the context in which it’s deployed.”

“While there is much to like in [the legislation], the fact that there is no mention of how open source software was tested is concerning. There are many software development practices that can create weaknesses in software, and some are programing language dependent. The capabilities of the various testing tools, both commercial and open source, also vary considerably. How well software is tested and what the security targets used during testing are as important in open source as in commercial software,” Mackey says.