Open-source software is the structural building block for the digital infrastructure that supports the modern world. At IST, we believe it is of the utmost importance to develop an approach that anticipates vulnerabilities and other risks such as malicious code before they impact the entire Internet infrastructure.

"Rather than a reactive approach, the software development ecosystem must shift code review to an earlier stage in the development and deployment lifecycle. This report advocates for shifting open-source software security to a shared responsibility model, redoubling support for existing secure software development frameworks, policies, and licenses, and reexamining approaches to vulnerability management and mitigation to ensure they account for open-source software."

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

Recent Content

Blog

IST’s Open-Source Software Security Initiative Submits Response to Request for Information

This week, the IST team submitted a response to a request for information (RFI) from the Office of the National Cyber Director (ONCD), the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) on areas of long-term focus and prioritization in open-source software security.

AI, market incentives, ONCD, open source software, RFI, secure-by-design

October 11, 2023

Castles Built on Sand: Digging into the Foundation | Towards Securing the Open-Source Software Ecosystem

Event

July 18, 2023 3:00 pm

Castles Built on Sand: Digging into the Foundation | Towards Securing the Open-Source Software Ecosystem

On July 18, 2023 Politico’s John Sakellariadis moderated a conversation with the authors of Castles Built on Sand to dig into the foundation of our recommendations to secure the open-source software ecosystem.

Log4j, open source software, software security, vulnerability management

July 18, 2023

Report

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

Castles Built on Sand advocates for a fundamental shift in the open-source software ecosystem. Taking the Log4j vulnerability as a case study, the paper seeks to understand the documentation of its development, the transparent response and mitigation efforts at each stage of the disclosure cycle, and its ongoing exploitation.

cybersecurity, Log4j, open source software, vulnerability management

April 17, 2023

Blog

IST announces new support from Omidyar Network to develop a framework for a secure open-source software ecosystem

Through a partnership with Omidyar Network, a social change venture that works to reimagine critical systems and the ideas that govern them, IST will work to develop a framework for securing the open-source software ecosystem.

About the Institute for Security and Technology

Our Team

Board Of Directors

Careers

Contact Us

Featured Events

Cyber Policy Awards

Critical Effect DC

AI and NC3
Pioneering action-oriented efforts to explore how advanced AI capabilities will be integrated into nuclear command, control, and communications

AI Antitrust and National Security
Exploring how to more effectively account for national security considerations in AI antitrust cases while respecting precedent, scope, and the core principles of antitrust law

AI Risk Reduction Initiative
Assessing the emerging risks and opportunities of AI foundation models and developing risk reduction strategies

AI Chip Export Control Initiative
Safeguarding U.S. national competitiveness by closing critical compliance and enforcement gaps

AI Risk Barometer
Measuring national security professionals’ perceptions of AI futures through a technically-informed survey

CATALINK
Preventing the onset or escalation of conflict by building a resilient global communications system

Energy FIRST
Powering U.S. and allied security & prosperity through a resilient energy future

Ransomware Task Force (RTF)
Combating the ransomware threat with a cross-sector approach

Religious Voices and Responsible AI
Engaging religious communities on safe and beneficial AI

SL5 Task Force
Strengthening AI security through a multistakeholder approach

UnDisruptable27
Driving more resilient lifeline critical infrastructure for our communities

All Projects
» Explore all of IST's projects, past and current

Focus Areas

Future of Digital Security

Geopolitics of Technology

Innovation and Catastrophic Risk

Open-Source Software Security Initiative

Towards securing the open-source software ecosystem

Recent Content

IST’s Open-Source Software Security Initiative Submits Response to Request for Information

Castles Built on Sand: Digging into the Foundation | Towards Securing the Open-Source Software Ecosystem

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

IST announces new support from Omidyar Network to develop a framework for a secure open-source software ecosystem

Open-Source Software Security Experts

Megan Stifel

Chief Strategy Officer

Marc Rogers

Adjunct Senior Technical Advisor

Join our mailing list for IST updates, events, and analysis:

About IST

Focus Areas

Get Involved