Open-Source Software Security Initiative

Towards securing the open-source software ecosystem

Open-source software is the structural building block for the digital infrastructure that supports the modern world. At IST, we believe it is of the utmost importance to develop an approach that anticipates vulnerabilities and other risks such as malicious code before they impact the entire Internet infrastructure.

“Rather than a reactive approach, the software development ecosystem must shift code review to an earlier stage in the development and deployment lifecycle. This report advocates for shifting open-source software security to a shared responsibility model, redoubling support for existing secure software development frameworks, policies, and licenses, and reexamining approaches to vulnerability management and mitigation to ensure they account for open-source software.”
– Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

Featured Events

Castles Built on Sand: Digging into the Foundation
July 18, 2023 | Virtual Event
POLITICO’s John Sakellariadis moderated a conversation with authors of the report Castles Built on Sand, asking the tough questions to get to the core of each recommendation and their implementation process. Watch on YouTube.

IST’s Open-Source Software Security Initiative Submits Response to Request for Information
October 2023 | Response to RFI

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem
April 2023 | Report

IST Reviews the 2023 National Cybersecurity Strategy: Analysis and Next Steps
March 2023 | NatSpecs Blog

IST announces new support from Omidyar Network to develop a framework for a secure open-source software ecosystem
January 2023 | NatSpecs Blog

Open-Source in the News

Institute for Security and Technology calls for shared responsibility model to secure open source software
In an in-depth article, InsideCybersecurity’s Sara Friedman reviews the recommendations from the report. “The Institute for Security and Technology is proposing using a shared responsibility model for open source software security in a new report highlighting opportunities to incentivize best practices and improve vulnerability management,” she writes.
April 19, 2023 | IST in the News

In his new cybersecurity strategy, Biden identifies cloud security as a major threat
“Between cloud and open-source software, we’ve probably seen the greatest democratization of innovation since computing began,” Marc Rogers tells NPR’s Steve Inskeep. But vulnerabilities remain.
April 4, 2023 | IST in the News

Can a White House initiative compel tech companies to write safer code?
Megan Stifel spoke to Cyberscoop’s Elias Groll on the trade-off between security and innovation in software development. That software developers continue to create code that relies on libraries with known vulnerabilities “is no longer acceptable,” she says.
March 31, 2023 | IST in the News

IST’s Stifel: Time is right to re-examine incentives under new national cyber strategy
The new cybersecurity strategy prompts a dialogue on incentives and liability, says Megan Stifel. In the realm of open-source software, ‘legal safe harbor from liability “has to be accessible not just for the largest entities” under a “shared responsibility model,”’ she tells Inside Cybersecurity’s Charlie Mitchell.
March 17, 2023 | IST in the News