Event: NGI Forum 2023 – PLENARY 4
Title: Securing the Open-Source Frontier: Navigating Supply Chain Risks
Roundtable moderated by Mirko Presser, Associate Professor, Aarhus University with:
- Anthony Harrison, Founder, APH10
- Camille Moulin, Consultant, Inno³
- Philippe Ombredanne, CTO, nexB Inc.
- Melanie Rieback, CEO/Co-founder, Radically Open Security
In an interesting and far-reaching discussion, panelists underscored the importance of addressing maintenance, security, and funding challenges in the open source software ecosystem, with a focus on standardisation, transparency, and community collaboration.
The ten main topics discussed are the following:
- Maintenance and legacy code: Camille Moulin argued that issues like Heartbleed and Log4j are not necessarily due to bad code but stem from inadequate maintenance. There is a clear need to invest in maintaining legacy versions to address the requirements of users still relying on older features.
- Complexity of mission-critical systems: Anthony Harrison highlighted the complexity of mission-critical systems, expressing concern about the security assumptions made in both old and new systems. He raised questions about the safety of new systems and the potential vulnerabilities in existing ones.
- Security challenges for different organisations: Melanie Rieback discussed context-dependent security challenges, pointing out that larger organisations struggle to understand their attack surface, especially with the blurring of network boundaries due to remote work. Small players face issues of being under-resourced and lacking knowledge, making standardised solutions essential.
- Software Bill of Materials (SBOM): Anthony Harrison introduced the concept of SBOM, which lists components in software to improve understanding and security. Philippe Ombredanne mentioned SPDX and CycloneDX as standards for efficient detection and reporting of software components, and stressed the importance of software licenses, known vulnerabilities, and sustainable development processes. Melanie Rieback highlighted the confusion and lack of standardisation in SBOM implementation, with various incompatible tools and outputs, and advocated for funding to prevent fragmentation, and the importance of automation due to the extensive number of dependencies. Camille Moulin considers SBOMs a good starting point but focused on the need for high-quality information and effective maintenance. Anthony Harrison noted that SBOMs should be continuously used in the development process and not just generated and forgotten.
- EU’s Cyber Resiliency Act (CRA): Philippe Ombredanne sees the CRA as a positive step, providing provisions for supporting open source projects and small businesses. He stressed the potential of open source tools and data to aid compliance with security requirements.
- Funding and economic models: Melanie Rieback called for incubation programmes for open source projects, teaching sustainable business models and alternative governance structures. She described the economic issues in supply chain security and the need for new economic models for a free internet.
- Transparency, open data and funding: Philippe Ombredanne called for transparency and open data about open source projects, stressing the community and government’s role in funding these efforts to enable a free internet. According to Camille Moulin, funding often does not reach maintainers, and there’s a tendency to value innovation more than maintenance. He called for the establishment of NGI Maintenance.
- Issues around big tech: Anthony Harrison expressed the desire to know who is making money from open source software and raised concerns that big tech may be hesitant to release SBOMs as it would reveal their (commercial) benefits.
- Unused security budget within NGI: Melanie Rieback mentioned that there is a significant budget available for security audits, and encouraged developers to take advantage of it for security by design.
- Procurement policies and market creation: Melanie Rieback called for the European Commission to create market demand for open source solutions, redirecting funds to strengthen the open source ecosystem.