“After I labored on a report from the US Cyber Security Overview Board in regards to the Log4j vulnerability, I used to be shocked to search out out that the developer neighborhood isn’t essentially educated on safety by design.”
These phrases come from the Performing Nationwide Cyber Director of the US Workplace of the Nationwide Cyber Director (ONCD), Kemba Walden on the opening keynote of the second day of the Black Hat USA conference, on August 10, 2023.
She introduced throughout her discuss that the ONCD and 4 different US authorities companies (CISA, DARPA, the Nationwide Science Basis and the Workplace of Administration and Finances) have launched the identical day a request for info on open supply software program safety and memory-safe programming languages.
With this initiative, the White Home is looking the cybersecurity and software program growth neighborhood “to plug in and assist us make good, reasonable insurance policies to make our open supply software program safer, in step with initiative 4.1.2 of the Nationwide Cybersecurity Technique Implementation Plan to safe the muse of the web,” Kemba defined.
She insisted that, whereas it’s inconceivable to do away with the necessity for safety patches, “we shouldn’t normalize patching routines like Microsoft’s Patch Tuesdays. We should always actually focus our effort on making open supply software program secure-by-design.
Responses are due by 5:00 p.m. EDT on October 9, 2023.
“There are very particular questions within the request for feedback. My recommendation to all folks is that the extra you possibly can provide crisp solutions for policymakers like me, the extra helpful will probably be,” Walden added.
Learn extra from Black Hat USA: ESET Unmasks Cyber-Espionage Group Concentrating on Embassies in Belarus
This announcement comes one month after the White Home established the Open-Supply Software program Safety Initiative (OS3I), an interagency working group with the purpose of figuring out coverage options and channeling authorities assets to foster higher open-source software program safety throughout the ecosystem.
OS3I recognized a number of focus areas, together with growing the proliferation of memory-safe programming languages; designing implementation necessities for safe, privacy-preserving safety attestations; and figuring out and selling targeted areas for prioritization.
