Open-source software is critical infrastructure: many of the devices, applications, services, and appliances that permeate our everyday lives run on open-source code. It is also a key driver of innovation: rather than spending hours rebuilding the same foundational codebases, developers can devote precious time to new, cutting-edge aspects of their work.
Yet open-source software is also vulnerable to security risks. In Castles Built on Sand, Zoë Brammer, Silas Cutler, Marc Rogers, and Megan Stifel put forward a series of recommendations to address these vulnerabilities, including shifting open-source software security to a shared responsibility model to distribute the responsibility of securing and maintaining open-source software more evenly, redoubling support for existing secure software development frameworks, policies, and licenses, and reexamining approaches to vulnerability management and mitigation to ensure they account for open-source software.
On July 18, Politico’s John Sakellariadis moderated a conversation with report authors to dig into the foundation of our recommendations to secure the open-source software ecosystem.
How were these recommendations developed, and who played a role in the process? What exactly are the recommendations? What do they mean and what does implementation look like? If these recommendations are successful, what could be the impact on future open-source vulnerabilities, and how might these recommendations help to mitigate such a risk?
