“When I worked on a report from the US Cyber Safety Review Board about the Log4j vulnerability, I was stunned to find out that the developer community isn’t necessarily trained on security by design.”
These words come from the Acting National Cyber Director of the US Office of the National Cyber Director (ONCD), Kemba Walden on the opening keynote of the second day of the Black Hat USA convention, on August 10, 2023.
She announced during her talk that the ONCD and four other US government agencies (CISA, DARPA, the National Science Foundation and the Office of Management and Budget) have launched the same day a request for information on open source software security and memory-safe programming languages.
With this initiative, the White House is calling the cybersecurity and software development community “to plug in and help us make smart, realistic policies to make our open source software more secure, in line with initiative 4.1.2 of the National Cybersecurity Strategy Implementation Plan to secure the foundation of the internet,” Kemba explained.
She insisted that, while it’s impossible to get rid of the need for security patches, “we shouldn’t normalize patching routines like Microsoft’s Patch Tuesdays. We should really focus our effort on making open source software secure-by-design.
Responses are due by 5:00 p.m. EDT on October 9, 2023.
“There are very specific questions in the request for comments. My advice to all people interested is that the more you can supply crisp answers for policymakers like me, the more useful it will be,” Walden added.
Read more from Black Hat USA: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus
This announcement comes one month after the White House established the Open-Source Software Security Initiative (OS3I), an interagency working group with the goal of identifying policy solutions and channeling government resources to foster greater open-source software security across the ecosystem.
OS3I identified several focus areas, including increasing the proliferation of memory-safe programming languages; designing implementation requirements for secure, privacy-preserving security attestations; and identifying and promoting focused areas for prioritization.