This morning, the U.S. White House Office of the National Cyber Director (ONCD) released a new report entitled Back to the Building Blocks: A Path Toward Secure and Measurable Software. 

This report highlights the importance of a proactive, secure by design approach to improving software security. From the report, emphasis ours:

“However, even if every known vulnerability were to be fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk. A proactive approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack surface and results in more reliable code, less downtime, and more predictable systems. Ultimately, this approach enables the United States to foster economic growth, accelerate technical innovation, and protect national security. Leaving these risks unmitigated comes with a costly price tag and may allow America’s adversaries to attempt to take advantage of the circumstances.”

Here are a few of the highlights from the report that stood out for us:

The need for continuous refinement and measurement of secure development practices

Over the past decade or so, at least in the open source world, the idea of scanning for vulnerabilities has taken center stage in many discussions about how to improve software security.

But over the past year, we’ve seen many organizations—and governments—refocus energy around proactively improving—and measuring—software quality as an equally, or perhaps even more important, way to drive good security outcomes.

In the section “Applications of Cybersecurity Quality Metrics,” the report highlights the need to continuously make measurements of software quality, rather than just doing it one time up front.

“Instead of one-time cybersecurity assessments, software can be dynamically evaluated. This advancement would help keep pace with an environment where threats constantly emerge and evolve, and software itself is in a state of perpetual development and refinement.”

This section also highlights the particular benefits of doing these sorts of ongoing quality and  health measurements with open source software, again emphasis ours:

“The application of cybersecurity quality metrics marks a shift in how software security is approached and understood. It is a journey from subjective assessment to objective precision, static snapshots to dynamic trends, and diffuse data to actionable insights. When applied to the open source software ecosystem it is easy to imagine the resulting impact; like using these metrics to identify an open-source library with poor cybersecurity quality and deciding to use a more secure component instead.”

When it comes to open source, it is critical to work directly with open source maintainers to proactively improve software quality, and not to expect that this work will be done for free.

Tidelift already works directly with the maintainers of thousands of the most relied upon open source packages to validate the secure software development practices they are using to create their projects. We also pay them not only to validate they are following practices like those outlined in the NIST Secure Software Development Framework, but keep those practices in place over time (Learn more about how we work with maintainers to improve the secure software development practices).

The role of market forces in driving behavior

In the section titled “Shifting Market Forces to Improve Cybersecurity Quality,” the report reiterates a point of view the government has made regularly over the past several years that the burden for proactively improving software security should not fall on users but instead the suppliers of that software. Again, from the report:

"Reframing the discussion on cybersecurity from a reactive to a proactive approach enables a shift in focus from the front-line defenders to the wide range of individuals that have an important part to play in securing the digital ecosystem. For far too long, primary responsibility for the cybersecurity of an organization has rested with the Chief Information Security Officer (CISO) of the company using software. They cannot be the only stakeholder accountable for cybersecurity outcomes; it is also critical, for example, that the Chief Information Officer (CIO) who is buying software, and the Chief Technology Officer (CTO) of manufacturers building software share this responsibility." 

As part of proactive approach, process and experience matters:

“Teams that are well-trained and experienced, armed with clear requirements and a history of creating robust software with minimal vulnerabilities, foster a higher level of confidence in the software they produce.”

While this report makes that point generally, it is just as true for open source software as it is for commercially developed software. For example, as we found in our 2023 Tidelift State of the Open Source Maintainer report, only 26% of open source maintainers are even aware of the NIST Secure Software Development Framework, and even those who are aware of them are often unlikely to implement these standards on their own because they don’t have the time nor the financial incentive to do the work. 

This means we need to see market forces—perhaps spurred by action from government—to begin driving the behavior we need from maintainers of open source projects. Maintainers have even told us that if the market compensates them to do the work to make their projects more secure, they’ll do it. When they ARE paid to do this work, as we found in our recent open source maintainer impact report, maintainers increase their security scores by 50% or more.

Final thoughts

Based on the questions asked in the RFI that ONCD put out last summer entitled Open-Source Software Security: Areas of Long-Term Focus and Prioritization, we suspect that what has been released in this report today is only part one.

While we’re glad to see the mentions of open source software in this technical report, we advocate a much stronger focus on incentives for secure development practices in open source software communities, where the vast majority of our modern software originates, and we expect that there will be more to come on that subject from ONCD in the future.

The ONCD even hints at as much in the video that accompanied the report this morning. In the video, Assistant National Cyber Director for Technology Security Anjana Rajan says:

"Last year we released an RFI on open source software security and memory-safety, and received over 100 submissions from diverse stakeholders across the community.  Those submissions are already informing not only this report, but prioritization of our open source software security efforts in the upcoming year."

We look forward to seeing those additional details, but in the meantime, to dive deeper into our thoughts on how to improve the incentives that would radically improve the security of the open source software we all depend on, read Tidelift’s response to the 2023 ONCD RFI.