The UK government is seeking industry views on how to regulate software security without stifling innovation.
Naomi Gilbert, Head of the Cyber Resilience Policy Team at the Department for Digital, Culture, Media and Sport (DCMS), speaking at the State of Open Con, said software will have a major impact on the UK economy through opportunities for innovation and increased efficiency. He said it brings economic benefits. 23 meetings.
“Innovation and creativity derived from software development are central to the strength of our technology division,” she said.
Nevertheless, she noted that there are many challenges the UK faces in securing digital supply chains.A key component is the software used, including open source.
The UK government “recognizes that open source in particular is a fundamental driver of innovation in the UK and globally,” added Gilbert. “The open source community is an important contributor to UK technology,” she said.
It is important that policies developed in this area are developed in collaboration with this community, and with this in mind, DCMS recently issued a Request for Views on Software Resilience and Security. This he will run for 12 weeks. Gilbert explained that it details the government’s views on software risks and possible policy solutions.
Regarding risks, Gilbert highlighted a number of high-profile supply chain cyberattacks launched targeting software. This includes his Kaseya incident in 2021. In this incident, attackers injected malicious code into software and spread it to customers through updates.
“Many of our customers were managed service providers, which meant the attack spread rapidly to customers through the software supply chain,” says Gilbert.
Meanwhile, a Log4j vulnerability discovered at the end of 2021 highlighted a “key transparency issue.” According to Gilbert, once the vulnerability was identified and made public, it became a “low-hanging fruit” for attackers, and in just 72 hours he had more than 800,000 attacks.
Risk framework approach
Gilbert then demonstrated the Government’s Software Risk Framework. It revolves around his six risk areas related to development, distribution, service delivery and customer roles. These issues apply to both open source and proprietary software.
Basically they include accidental vulnerabilities, malicious or intentional compromises, and insecure development environments.
“The number of attacks targeting open source components is large and growing,” Gilbert emphasized. Additionally, malicious actors are increasingly targeting open source repositories by creating malicious open source software he packages that developers unintentionally incorporate into their software.
Lack of maintainers, time and capacity pressure on the open source community, and poor communication of vulnerabilities are problems specific to open source software, she added.
“The open source community and industry have already taken some steps to bring in more tools and resources to support developers and maintainers,” Gilbert acknowledges. Governments are now keenly considering ways to support these efforts and promote safe development best practices “without placing an unnecessary burden on developers and maintainers.”
She presented a series of potential policy ideas that the government would like to get feedback from industry on.
To promote software development security:
- Organization and software package certification
- guidelines, e.g. codes of conduct
- Development of international standards
- Financial support for small businesses that follow best practices
- Support the development of vulnerability scanning tools
To support the open source community:
- Guidance on secure development with open source
- Funding industry-led initiatives
- Collaborate with industry to develop tools
- Government backed team to maintain critical components
To promote transparency and communication:
- Regulations requiring minimum standards of transparency
- Vendor certification according to best practices
- Secure information sharing mechanism
- Guidance for Vendors on Promoting Transparency
- Guidance on SBOM and equivalent tools
- SBOM secure central database
Gilbert stressed that these options “are not exhaustive, and not all pursued are viable or practical.”
Join the discussion. Sign up for Infosecurity Magazine’s online summit to hear two experts go head-to-head on his SMOB effectiveness.
She added that the government is particularly keen to hear from the open source community about three key questions:
- What are the biggest issues affecting software security?
- What more actions are needed to address these issues (government or industry)?
- How should governments work with the open source community to address these risks?
