Virtual Library

Our virtual library is an online repository of all of the reports, papers, and briefings that IST has produced, as well as works that have influenced our thinking.

Submit your Content

Podcasts

TechnologIST Talks: Looking Back and Looking Ahead: Deep Dive on the New Cybersecurity Executive Order

Carole House, Megan Stifel, and Steve Kelly

view

Podcasts

TechnologIST Talks: The Offense-Defense Balance

Philip Reiner and Heather Adkins

view

Reports

The Generative Identity Initiative: Exploring Generative AI’s Impact on Cognition, Society, and the Future

Gabrielle Tran, Eric Davis

viewpdf

Podcasts

TechnologIST Talks: A Transatlantic Perspective on Quantum Tech

Megan Stifel and Markus Pflitsch

view

Podcasts

TechnologIST Talks: The Future is Quantum

Megan Stifel and Stefan Leichenauer

view

Reports

Navigating AI Compliance, Part 1: Tracing Failure Patterns in History

Mariami Tkeshelashvili, Tiffany Saade

viewpdf

Podcasts

TechnologIST Talks: The Cleantech Boom

Steve Kelly and Dr. Alex Gagnon

view

Contribute to our Library!

We also welcome additional suggestions from readers, and will consider adding further resources as so much of our work has come through crowd-sourced collaboration already. If, for any chance you are an author whose work is listed here and you do not wish it to be listed in our repository, please, let us know.

SUBMIT CONTENT

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

Zoë Brammer, Silas Cutler, Marc Rogers, Megan Stifel

SUMMARY

Software is a foundational part of the infrastructure of the modern world. While vulnerabilities can be present in all types of software, the majority of software developers rely to some extent on open-source packages to catalyze innovation in software development without rebuilding the same packages many times over. Provided that these packages are secure, open-source software creates added capacity that translates into economic gains. The impact of the Log4j software vulnerability (CVE-2021-44228), disclosed on December 9, 2021, should prompt cybersecurity professionals and the software ecosystem at large to reimagine how to mitigate open-source software vulnerabilities.

As vulnerabilities cannot be completely eliminated and can be rapidly exploited by a wide array of actors, there is an urgent need for a plan to reduce the prevalence of vulnerabilities and to mitigate the greatest risks posed to the entire software ecosystem when they do arise—both now and in the future.  

This report advocates shifting open-source software security to a shared responsibility model, redoubling support for existing secure software development frameworks, policies, and licenses, and reexamining approaches to vulnerability management and mitigation to ensure they account for open-source software. If adopted and implemented by stakeholders in the open-source software ecosystem, these recommendations could help reduce the impact of vulnerabilities such as Log4j and prevent future vulnerabilities from arising.


The publication of this paper was made possible by a generous grant from Omidyar Network, a social change venture that works to reimagine critical systems and the ideas that govern them. We are grateful to Omidyar Network for their support of our research into the security of the open-source software ecosystem.

Thank you to all those who have been involved in the research for this paper, including members of the IST team, external contributors, and anonymous peer reviewers. We are grateful to all those who took the time to lend their expertise to this project.

download pdf