Yesterday, the White House issued a much anticipated executive order on improving the cybersecurity of the United States. I’d like to share some of the key takeaways from the executive order along with an analysis of the potential impacts for organizations using open source software to develop applications.
What is the cybersecurity executive order 14028?
First, some broad perspective: this order is a bold and necessary step by the United States government to use its substantial purchasing power to force much-needed improvements to software industry cybersecurity standards. While the SolarWinds and Colonial Pipeline attacks attacks are the most visible recent examples of the woeful state of cybersecurity, this order is a call to action that we can not—as creators and consumers of technology—accept the current status quo in perpetuity.
From the order:
“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.
Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
If your organization is not based in the United States, or you don’t sell to the US government, you might read this and think that the executive order won’t have an impact on your organization. You’d be wrong.
As today’s Washington Post analysis articulated:
“In so many areas of computer security, what the federal government does first, the private sector follows,” said Schwartz, managing director of cybersecurity policy at Venable, a law firm. “What the federal government is requiring here likely will become the standard for all software moving forward—not just in the United States but internationally.”
So in essence, this order is a striking attempt to create a new global standard for cybersecurity that all organizations around the world will need to ensure their software supply chain meets or exceeds in the near future.
As such, every organization should understand the proposed standards and requirements being set forth and begin an internal discussion about what is required to address them.
Impacts for organizations developing applications with open source
According to the order 14028, the National Institute of Standards and Technology will be issuing guidance within the next year regarding the practices organizations will need to follow to ensure the security of the software supply chain.
Of particular importance to those using open source to develop applications is this part (emphasis ours):
(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website
and...
(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.
Those words give the tiniest look at the massive piece of iceberg floating below the surface for most organizations.
The hard truth is that most organizations do not currently have a comprehensive understanding of all of the open source software being used in their applications. Let alone a software bill of materials that identifies the exact components and versions in use across those applications.
Which becomes even more critical against this backdrop:
- 92% of modern applications contain open source components
- As much as 70% of the average application is comprised of open source code
One of the most urgent tasks for organizations and teams using open source to develop applications is to implement a better, more comprehensive way to manage the health and security of the open source components in their software supply chain.
Increasingly, in a world where more and more software is made with open source, software security means open source software security. According to a recent Tidelift survey, in organizations with over 10,000 employees, 39% of respondents reported that they were not very or not at all confident that the open source components they were using were secure, well maintained, and up to date. Only 16% were extremely confident.
It begs the question: if you are part of the 84% of organizations that aren’t extremely confident, would you be willing to personally attest to the integrity and provenance of your open source components today if and when the US government comes calling?
This executive order 14028 will bring about critical—and necessary—changes to how modern software applications are built. Meanwhile, organizations will be held accountable on a larger scale for the health of their applications and the open source components that go into them.
Having these processes defined across your organization will help set you up for success:
- What is the process for generating a software bill of materials (SBOM) that lists the third-party ingredients of your software application? (click here to create one today.)
- What are the policies and procurement process for developing with open source components (including who created them, who is maintaining them, and when they were last updated)?
- What is the plan for incident response and remediation when new vulnerabilities arise in the future, especially for third-party open source software?
Creating proactive and scalable processes to ensure you remain compliant with the executive order 14028 is going to take time to build, test, and implement. That's where Tidelift and our partnered maintainers can help.
How can Tidelift help?
Tidelift provides a better way for organizations to manage their open source software supply chain. We help reduce the complexity of managing open source components across the organization, while keeping them safe and secure.
Through the Tidelift Subscription, we provide the tools to create, track, and manage catalogs of known-good, proactively maintained components that developers can pull from when building applications.
We also offer expert data, recommendations, and resources to help you create and enforce the right policies and practices for managing open source, while ensuring that you stay in compliance as threats to open source security and health emerge.
And we partner directly with the open source maintainers who built the thousands of components you rely on in the first place, paying them to attest to the provenance of their code, while keeping it secure and open to date, now and into the future.
For organizations looking to comply with these new guidelines, Tidelift provides a complete solution for managing open source, helping organizations keep moving fast while staying confident that their code is secure, healthy, and well maintained.
Next steps
- If you’d like to get a software bill of materials (SBOM) showing the open source components and versions your organization is already using, sign up for our free 14-day trial of the Tidelift Subscription
- Watch our on-demand demo and learn more about best practices for managing open source, including how the largest and most powerful technology companies do it today
- Sign up for Upstream, a one-day virtual event on June 7 where you can learn more from the upstream maintainers and industry experts designing the future of open source
50 Milk St, 16th Floor, Boston, MA 02109