Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security | Ashwin Ramaswami, Schmidt Futures | June 11, 2021

summary: "Secure software supply chains are imperative to national security. When software supply chains come under attack, hackers and foreign adversaries compromise software to gain access to critical infrastructure, conduct espionage, and destroy information. As demonstrated by recent cyberattacks against SolarWinds and Microsoft Exchange, software supply chains are exposed and will continue to face assaults by nefarious actors unless the United States takes action to secure them.

• A critical foundation of both public and private software supply chains is open source software (OSS). In fact, approximately 98% of codebases1 contain OSS components.2 However, OSS is substantially supported by software engineers working on a volunteer basis who do not always prioritize security, potentially endangering our crucial software supply chains.

The federal government can play a greater role in safeguarding software supply chains by securing open source development in two ways:

1. Identifying and cataloging critical software in need of support; and 2. Funding critical improvements in open source software security.

These recommendations reflect Recommendation 4.1.1 of the Cyberspace Solarium Commission Report.3

As Congress prepares the upcoming FY 2022 National Defense Authorization Act (NDAA), one way to accomplish these recommendations is to include the establishment of a Center for Open Source Software Infrastructure and Security...."