Building Open Source Software Security Policy: Lessons from Historical Trade Security Efforts
Cases like XZ Utils highlight the pressing need for better security in open source software. OS communities and concerned policymakers agree that more needs to be done to secure code from these supply chain attacks; however, there is still no significant agreement on how best to approach these challenges. The current debate about OS software security mirrors discussions around trade security that surfaced soon after 9/11. Industry argued then that regulations requiring importers to fully certify the security of their supply chains – as well as mandating “100% screening” of cargo containers – would result in the collapse of global trade. While policymakers and the security community understood these concerns, they also felt that industry’s approach up to that point was insufficient for countering threats to global security. Ultimately, the stakeholders were able to create a series of initiatives that balanced the needs of trade and security and provided effective incentives for “voluntary” compliance from industry. In this session, the presenters will provide the initial results of an on-going research project funded through the Digital Infrastructure Insights Fund that for the first time compares the historical example of supply chain security for tangible goods with the current challenges facing open source software supply chain security, focussing on the impact of governmental and industry trade security and the current outlook for OSS security, identifying overlaps and evaluating lessons learned from the historical case study.
