How to ‘harden’ open-source software

Much of today's critical infrastructure and military systems rely on open-source software
Main Top Image
This image was created with the assistance of DALL·E 2

The US federal government and several European governments have renewed their concern about the security of open-source software. Following the December 2021 revelation of log4shell, a severe and easily exploitable vulnerability in the popular open-source package log4j, federal and industry efforts have been made to improve open-source software security.

The Senate’s Committee on Homeland Security and Government Affairs proposed the Securing Open Source Software Act, which empowers the US Department of Homeland Security to understand the government’s dependence and critical infrastructure on open-source software. The US Office of the National Cyber Director is soliciting public feedback on open-source software security and public policy. Germany’s Sovereign Tech Fund has begun funding initiatives to improve its security.

Open-source software, which allows anyone to inspect, modify, and distribute its source code, has received such high-level attention in part because so much of modern software, including military systems and critical infrastructure, relies on it. Today’s software is mostly open source, written by a third party, not the developer. The exact percentage of open-source code in deployed software varies depending on how the lines of code are measured.

Software developers rely on open-source packages from public repositories for efficient coding. The Python Package Index, analogous to an app store for open-source Python packages, now hosts nearly 500,000 projects. npm, an equivalent Javascript registry, contains millions of packages.

Open-source software is a modern marvel for software developers who need to build applications quickly and easily. However, code from open sources has had and may continue to have significant security issues. There are hundreds or thousands of known malicious compromises of open-source software. The number of unintentional vulnerabilities is also large, though the exact number defies simple measurement. The debate over whether open source or proprietary software is more secure is moot because of the prevalence of open-source inputs. The only pressing question is how to make open-source software more secure than it currently is.

The Open Source Hardening Project

In 2006, the Department of Homeland Security awarded a contract for a little over a million dollars to Coverity for the Open Source Hardening Project, an effort to publish the security-related findings of its tool for hundreds of major open-source software projects. Open-source projects — often under-funded and volunteer-run — used Coverity’s tool for free. Instead, the security findings, a list of potential security bugs, were made available to these open-source software developers. The developers were then free to use this information to fix any security bugs that the information revealed.

By all accounts, the project was a success. During the three-year programme, developers across multiple open-source projects successfully fixed over 11,000 security vulnerabilities. The overall density of security defects in these projects dropped by nearly 20%.

The profit motive

The programme’s success is remarkable because it contradicts current theories about open-source code’s weaknesses. Prominent open-source software advocates often argue that companies and governments must fund open-source software maintainers to ensure security directly. Other advocates, while supportive of direct funding for maintainers, also believe that companies, foundations, and even governments should partner jointly and create large-scale plans to secure open-source software. In this view, a strong coalition of well-funded companies, foundations, and government agencies is necessary to address open-source software security issues.

The Open Source Hardening Program demonstrates that the profit motive can help secure open-source software. Although the Department of Homeland Security provided funding for this effort, it did not go directly to open-source software maintainers and did not require a broad coalition. Instead, Coverity pursued this programme for commercial reasons: the more open-source developers became comfortable with Coverity’s security analysis tool, the more likely they were to be to encourage their companies to purchase the tools. In short, Coverity’s long-term financial prospects were the key to its success.

To be sure, although open-source maintainers benefited from government funds, it was not a direct payment. Instead, the open-source software developers who took part in this programme benefited from better security tools and data which advanced the projects they championed. Simply put, the tools and data helped contributors — often part-time volunteers working nights and weekends — better identify and prioritise fixing unintentional security vulnerabilities.

Smaller, simpler, and cheaper

Of course, mobilising industry and government to secure open-source software has appeal, given the breadth of its security problems. Paying open-source software developers directly dovetails with a widely held belief that a root cause of open-source software insecurity is that many maintainers are volunteers. But the Open Source Hardening Program shows the elegance of another solution: providing additional funds to for-profit companies whose mission is predicated on improving open-source security.

Fortunately, the Department of Homeland Security is taking a page from its own playbook with its recent call for funding nimble outfits interested in building software supply chain security-related tools. The recently introduced Securing Open Source Software Act also aligns with these efforts.

Some organisations, such as Germany’s Sovereign Tech Fund and philanthropic efforts, prefer to fund open-source software foundations and maintainers directly. There is room for that approach, too, but the Open Source Hardening Project suggests that such approaches are not the only path to security. The real trick will be for other parties, those with either ambitious plans or a scheme to fund open-source software developers, to reflect on what this forgotten programme from the past implies for their future.

Terms & Conditions

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.