On June 7th, for the third year in a row, we hosted Upstream, a virtual, one-day celebration of open source, the developers who use it, and the maintainers who make it. It was our biggest Upstream yet, with hundreds of attendees joining us in discussions about the current state of open source and how to make it better for everyone.
In the first panel of the day, Donald Fischer, Tidelift CEO and co-founder, sat with Veronica Daigle, Executive Director within Boeing’s Legislative Affairs, Government Operations, and Vijoy Pandey, Senior Vice President, at Outshift by Cisco, to discuss how some of the largest organizations proactively engineer software supply chain security.
To open the discussion, Veronica broke down the current relevant moves in government that relate to software supply chain security, including: Executive Order 14028, the resulting NIST Secure Software Development Framework (SSDF), the Office of Management and Budget (OMB) memorandum M-22-18, and the National Cybersecurity Strategy from March 2023—all of which are aimed at creating preventative measures against potential cybersecurity threats.
Donald followed this by emphasizing the importance of open source software being mentioned in some of these directives and how the government is looking for ways to invest in improving open source security—in particular, in March’s National Cybersecurity Strategy. To quote directly from the strategy:
“To further incentivize the adoption of secure software development practices, the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors; promote the further development of SBOMs; and develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure. In partnership with the private sector and the open-source software community, the Federal Government will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
Veronica highlighted this further, “There is so much policy makers can learn from the experts—the developers, the maintainers, those who are working on this everyday. It’s so crucial that those connections are made, because you want to make sure that the policies and regulations that come out are implementable, executable, and that they make sense to those who are actually working on these issues everyday.”
Private industry’s role
In response to a question posed by Donald about the role private industry should play in part of this conversation, Vijoy had this to say, “Regulations sound heavy, as if they’re slowing down innovation. We’re talking about safety, doing things responsibly—about security. It’s a miss by the private industry that we didn't solve the problem and we had to wait for regulations to happen. It shouldn’t have come to this.”
Vijoy explained further, “we need tech to solve tech problems. [...] This is a wakeup call for the entire industry. But in the end, tech needs to solve for this and companies like Tidelift are here to help make that happen. It’s pretty amazing to see a little bit of a spark being lit behind everybody here.”
“Secure by design. Secure by default.”
“Secure by design is an approach where you approach security at every stage of the development lifecycle, from the design, building testing, and deployment,” Veronica said. “How are we making sure that security is built into this, that it’s embedded? It’s not only the actions, it's the philosophy.”
“Secure by default is where you’re establishing those configurations and settings, and incorporating them into your software. It’s like airbags and seatbelts—these default safety features. You’re taking some of the responsibility off of the end user and you're building in these protections as you’re developing the software.”
As it relates to the government, Veronica had this to say, “I think that the government is very interested in this [practice]. The idea of shifting the liability of software products away from the end user, such as applying patches, you’re moving it towards the development side. This is a major component of the National Cybersecurity Strategy, if you want to look at where the government is going with all of this.”
Working with the open source community
How can private industries work to help the independent creative communities wrapped up in the accidental supply chain?
“We need to reach out to those developers and those maintainers and enable them to fix security problems in those projects,” Vijoy said. “Cisco is a big believer in this—there’s no other way to solve this [issue].”
Similarly to Cisco, Boeing has an Open Source Program Office (OSPO), to which Veronica had this to say, “Fundamentally, we created it [an OSPO] [...] to contribute more to open source communities. Having the OSPO has been a great way of doing that. We hope we’re helping in our sector and encouraging others to create an OSPO.”
To learn about how industries and the U.S. government are working to improve the software supply chain and to learn more about the importance of establishing an Open Source Program Office, you can watch the Upstream talk on-demand here.