Despite Vulnerabilities, OSS in Government’s Here to Stay
A recent Venturebeat.com article makes a bold declaration, claiming “open-source software has become the foundation of the digital economy … it constitutes 70% - 90% of any given piece of modern software.”
If you're questioning the credibility of open-source code, look no further. Google, Facebook, Amazon, and Microsoft all contribute to open-source resources. Google’s DNA is open-source code. Its mobile Android platform was constructed of open-source software (OSS).
The Don’t Leave Open Source Open to Vulnerabilities article admits “open-source software is now a prominent and indispensable aspect of the digital infrastructure.” The facts are clear. Even with perceived vulnerabilities, open-source software (OSS) is here to stay.
Government Jumps on OSS Bandwagon
How did the US government come to embrace open-source software? The public sector locked on to open-source code because of its collaborative-nature, it’s easy to evolve flexibility, and of course, the affordable savings from avoiding a costly, starting-from-scratch, software development process.
Now there is some measure of trepidation within the public sector because of recent high-profile issues of ransomware and malware infecting government computer networks.
What Seems Good Can Turn Bad
Because of some of its most positive factors — a collaborative, easy to edit, shareable nature — now some are pointing fingers at the potential vulnerability of open-source code.
The federal Cybersecurity and Infrastructure Security Agency (CISA) has singled out vulnerabilities in open-source code. An open-source industry report found “just 49% of organizations have a security policy that covers OSS development or use.”
Protecting Government OSS Resources
However, there are ways to safeguard open-source software:
Multi-factor authentication (MFA) can help developers detect any hidden malware code before the software goes into use.
Supply Chain security can ensure that open-source software is handed off by a chain of command to limit the number of parties it passes through.
Software bill of materials (SBOM) help users understand what code is contained in a piece of software to reduce risk
And don’t blame the biggest government breach ever on OSS: the SolarWinds supply chain hack was from a closed software system.
Third-party verifiers of open-source code have sprouted up; the Linux Open-Source Foundation being the most well-known. Organizations like this add some safety and credibility to OSS resources.
With an evident talent shortage of software developers in the public sector, open-source software does offer a way around the personnel issue, providing already-developed, already-tested software resources.
Read the Venture Beat article about open-source vulnerabilities:
The Openaccessgovernment.org article refers to government in the UK, but is still relevant to and insightful on the topic: https://www.openaccessgovernment.org/why-the-government-is-backing-open-source-software/140839/