The key to fixing massive security problems in the software supply chain lies with major consumers of open source, according to a group of experts from the Open Source Security Foundation.
Open Source Consumption Manifesto, a document released Thursday on behalf of the OSSF End Users Working Group, calls on commercial and non-commercial development organizations to:
- Consider the critical role of open source software consumption in building a secure software supply chain.
- Balance open source software consumption against a defined risk profile, which depends on factors like risk tolerance, regulatory context, etc.
- Recognize potential risks, including vulnerabilities, malicious software and component choice.
- Understand not all vulnerabilities are actively curated, and risk scoring systems (such as CVSS) can be trailing indicators.
- Utilize audits and quarantine functionality for components matching known vulnerabilities and malicious packages.
The manifesto is aimed at organizations that use open source components as dependencies in their own software, according to Brian Fox, co-founder and CTO of Sonatype and one of the authors of the manifesto.
“The typical application is 80%-90% open source and has been for nearly two decades,” Fox said via email. “We need these organizations to manage the open source dependencies intentionally, like they do for third party software they buy.”
The group says open source maintainers should not carry the bulk of the burden for supply chain security.
Incidents like the Sunburst malware supply chain attack against Solarwinds and the Log4j vulnerability led to a crisis of confidence, but the group insists that new practices by large consumers of open source can change that dynamic.
The manifesto comes just weeks after the White House issued a request for information about open source security and the use of memory-safe languages. A central component of the Biden administration’s national cybersecurity strategy has been developing better ways to secure supply chains in the wake of the Log4j crisis.