Despite Vulnerabilities, OSS in Government’s Here to Stay

A recent article makes a bold declaration, claiming “open-source software has become the foundation of the digital economy … it constitutes 70% - 90% of any given piece of modern software.” 

If you're questioning the credibility of open-source code, look no further. Google, Facebook, Amazon, and Microsoft all contribute to open-source resources. Google’s DNA is open-source code. Its mobile Android platform was constructed of open-source software (OSS). 

The Don’t Leave Open Source Open to Vulnerabilities article admits “open-source software is now a prominent and indispensable aspect of the digital infrastructure.” The facts are clear. Even with perceived vulnerabilities, open-source software (OSS) is here to stay. 

Government Jumps on OSS Bandwagon 

How did the US government come to embrace open-source software? The public sector locked on to open-source code because of its collaborative-nature, it’s easy to evolve flexibility, and of course, the affordable savings from avoiding a costly, starting-from-scratch, software development process. 

Now there is some measure of trepidation within the public sector because of recent high-profile issues of ransomware and malware infecting government computer networks.

What Seems Good Can Turn Bad  

Because of some of its most positive factors — a collaborative, easy to edit, shareable nature — now some are pointing fingers at the potential vulnerability of open-source code.  

The federal Cybersecurity and Infrastructure Security Agency (CISA) has singled out vulnerabilities in open-source code. An open-source industry report found “just 49% of organizations have a security policy that covers OSS development or use.” 

Protecting Government OSS Resources 

However, there are ways to safeguard open-source software:

  • Multi-factor authentication (MFA) can help developers detect any hidden malware code before the software goes into use.  

  • Supply Chain security can ensure that open-source software is handed off by a chain of command to limit the number of parties it passes through. 

  • Software bill of materials (SBOM) help users understand what code is contained in a piece of software to reduce risk 

And don’t blame the biggest government breach ever on OSS: the SolarWinds supply chain hack was from a closed software system. 

Third-party verifiers of open-source code have sprouted up; the Linux Open-Source Foundation being the most well-known. Organizations like this add some safety and credibility to OSS resources.  

With an evident talent shortage of software developers in the public sector, open-source software does offer a way around the personnel issue, providing already-developed, already-tested software resources. 

Read the Venture Beat article about open-source vulnerabilities:

The article refers to government in the UK, but is still relevant to and insightful on the topic: 

Back to Main   |  Share