U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Open-Source Software Prevalence Initiative

The Open-Source Software (OSS) Prevalence Initiative encourages private industry and cybersecurity authorities to adopt free and readily available standards-based protocols to mitigate the risks inherent in OSS.

The Initiative is funded by the Investment and Infrastructure Jobs Act (IIJA) (see S&T’s CISRR Program for more information) and is a component of a larger strategy led by the Cybersecurity & Infrastructure Security Agency (CISA) CISA Open Source Software Security Roadmap.

Work with Us

The OSS Prevalence Initiative is eager to partner with private industry and cybersecurity authorities! 

To get started, email: OSS.Prevalence.Initiative@hq.dhs.gov

Areas for collaboration include, and are not limited to:

  • Testing of asset discovery and software composition analysis (SCA) tools/techniques, we seek validations of tools to date and opportunities to partner on further testing.
  • Technical feedback on our framework itself, we intend to hold upcoming engagements with others on our framework and need technical feedback on the techniques and procedures being used.
  • Authoritative cybersecurity entities wishing to collaborate, endorse, and co-publish the final framework with S&T and CISA.

Current State of OSS

OSS is code that is freely available and can be readily used by anyone. Common usage includes:

  • OSS that software developers can use to add features to their products, as opposed to re-rewriting the code.
  • OSS for firmware for operational technology (e.g., widgets, smart devices, internet of things, etc.) that can be used as opposed to re-rewriting code. 

The convenience of using OSS comes at the tradeoff of cybersecurity. The fact that everyone has access to the source code of OSS and a general lack of ownership of OSS (often termed "providence") makes OSS inherently vulnerable when used.

Recent and major OSS vulnerabilities found include:

The list of vulnerabilities known to have been proven to be exploited abounds:

Other components of CISA’s Open-Source Software Security Strategy include:

If you are interested in learning more about OSS and the current landscape of OSS, the Linux Foundation with Harvard University Census II Report is a reputable and well-written report on this.

There is much guidance available to network owners about what level of security they should be assuring their networks to, such as the Linux Foundations Supply-chain Levels for Software Artifacts (SLSA for short, pronounced “salsa”) or the NIST Secure Software Development Framework (SSDF). Additionally, the challenge grows when the current state of commercial-off-the-shelf (COTS) products in network assurance is that no single product can get a network owner to full network assurance, with many vendor capability claims having never been independently validated.  DHS S&T seeks to develop the how for CI owners/operators to get to network assurance as per or the NIST SSDF or similar. 

Image
Problem: Critical infrastructure (CI) sites are piecemeals of individual devices. Each site device is also a piecemeal of layers of hardware, firmware, & software. Software owners/operators lack visibility into what piecemeal code is at each layer of each device. Site owners/operators lack visibility into cyber vulnerabilities from OSS to their infrastructure. Solution: 1. Develop Methodology. Partner with Department of Energy (DOE) National Labs to develop the blueprint outlining how to: Asset discovery, S
Last Updated: 04/22/2024
Was this page helpful?
This page was not helpful because the content