The EU Efforts To Secure Open Source Software [On-demand Session]

Watch this session from Open Source Summit Dublin to learn more about the European Union's response to the ever-changing open source security landscape.

The EU Efforts To Secure Open Source Software [On-demand Session]

Can't see the embedded YouTube video above? Click here.


OSS is incredibly positive - without projects like Docker, Kubernetes, Debian, NGINX, Apache, or others, technological innovation would be painfully slow. Its innovation, ease of use, and zero cost meant that nearly every piece of software contains OSS.  

OSS is everywhere, including data centers, hospitals, e-commerce, phone networks, mobile devices, and power stations.

Last year, the Whitehouse issued an Executive Order after the fallout of SolarWinds. This kickstarted the use of SBOMs, a flurry of new projects to protect the supply chain, and the rise of OpenSSF.

  • How has the EU responded to Critical Threats in OSS?
  • Are the threats to the EU different from the USA?
  • The EU is not 1 country but is made up of 27 countries- how does this affect change?
  • A look at Ireland as an example country in EU and how it is affected by threats to the OSS supply chain and how the EU helps

Transcript:
(00:00) Thanks everybody for coming today um I'm actually from Dublin so I'm really delighted that the OS Summit is hosted here. So today I'm going to talk about the EU efforts to secure the open source open source software. I'm Ciara Carey I work in developer relations in Cloudsmith and before that I was a software engineer for over 10 years so I kind of got into the software supply chain starting in Cloudsmith it's an artifact repository so it deals a lot with it has a lot of information about how

(00:42) your artifacts are built and signatures and metadata and all that kind of stuff I'm working in developer relations I have to research and write about the software supply chain a lot and this brought me onto the topic of supply chain software supply chain and software supply chain security when researching it I keep on hearing about what the US is doing their executive order their work on s-bombs stuff like that and as an EU citizen I want to know what the EU is doing to secure open source software so that's

(01:18) where I came from I want to know um yeah what the EU is doing for open source security where the gaps are and what can be done to drive the EU to action so our agenda today I'm going to start with open source software supply chain a definition on that I hope you haven't had too many definitions I'm probably going to show that same image so then I'm going to go on to why should the EU care about open source security the US's response and the eu's response and then I'm going to talk about my hopes

(01:56) for the future on ease policies on open source software I'm going to finish with what we can do to influence the EU to take it to take greater action on open source security so the only direct funding of security for open source was initiated by these two MEPS Anderson and Rita and in 2014 after the harp lead um critical vulnerability and open SSL so that's the only funding that has gone towards securing open source software and that was started from like political from a political point of view from these MEPS and so I think although the

(02:42) EU should care about open source software and we should try to influence it to care about open source software with um and by contact and get political basically so this is the image it's like probably seen it 10 times on the stock so opensource is really positive without projects like kubernetes, Debian, nginx, Innovation would be painfully slow between 70 and 80 percent of code contains open source software in their dependencies and a massive part securing your software supply chain requires securing open source software and a lot of like

(03:24) critical infrastructure in the EU contains open source obviously because wherever their software this open source so uh your software supply chain contains all the on the steps involved in creating your software and a big part of that is your third-party dependencies which are likely to be open source the types of attacks you see on open source tend to attack vulnerabilities existing in your open source dependencies like uh harp lead or um the the one in December log for shell and another way is by attacking attacking the mechanism for how you

(04:08) consume that open source so by attacking like we usually consume it from a public repository like npm that kind of thing by tacking that mechanism using type of squatting or dependency confusion you can um attack the supply chain and the end result is similar to all cyber attacks you get access to customers data or your own data or information that you don't want to let out so last year during the height of the pandemic there was a Cyber attack on the Irish Healthcare System like doctors and nurses walked into

(04:51) hospitals and they're presented with like a blank screen and they had to go back to pen and paper cancer patients had to stop treatment it like it was over 100 million in damage even though they didn't pay their ransomware and they got the decryption keys back I don't know exactly what happened there but the damage was done so why should the EU care about cyber attacks this attack on the our child care system it's not like an incidence it's a trend there is an attack last month on a French hospital

(05:25) and patients had to go elsewhere and other critical systems are being attacked by cyber criminals they're State actors pipelines governments water have all been attacked and this has stepped up since the war in Ukraine so Russia has turned off eu's main source of gas if they also launched a Cyber attack on other sources of energy it'd be an absolute disaster so European citizens should be protected from attacks on systems that they rely on and although the EU member states themselves bear the prime responsibility

(06:02) for countering attacks these threats can be better addressed at coordinary response at an EU level also the EU is striving to be a leader in cyber security it is moved to um it has moved to improve the cyber security in member states and it recently passed another directive in Parliament improved the overall security of member states niz 2 replaced nism and Ursula vanderline the president of the European commission during her State of the Union Address last year said the EU should strive to become a leader in cyber security

(06:42) so she had her her 2022 State of the Union Address this year so she did mention digitalization but there was a bit less about cyber security because they were pretty busy right Ukraine I'm still up there still relevant guys so why should the EU care about open source security in particular they care about cyber security but what about open source security so open source software supply chain talks are one of the Avenues of the talk for a cyber cyber attack and they're on the rise aqua's Security argonate Experts found that software

(07:22) supply chain attacks grew by more than 300 in 2021 compared to 2020. I saw another report by um sonotype Nexus which I said 600 but I was scared because that was soon to a lot so I went I wrote this 300 is scary anyway so but 600 it's too much for me so there was also an instant response report by Palo Alto instant responders those are the guys you send in after you've had a Cyber attack and you're like ah how do I get out of this and they figure out where your where you were where was the access point of attack and clean

(08:00) everything up and there are 2022 reports they analyzed over 600 incidents and over the last year and they found that vulnerabilities in software or the suspected initial access factor and 31 of cases second only to fishing so not all of those 31 percent were open source vulnerabilities but um the second most common vulnerability as a point of attack was log for Shell so this was released in July and like um laude was only in December so that seems like a lot but we can all agree it's a problem so again why should the EU care about

(08:47) open source software the EU is actually aware of threats from the supply chain supply chain attacks the European Union Agency for cyber security and Esau their 2021 threat landscape report included cyber cyber supply chain attacks and they also conducted an in-depth study in 2021 analyzing 24 software supply chain attacks from around the world including solar winds and all those ones so the EU wants to be a leader in cyber security supply chain attacks are increasing so that you need to address open source security as one of the main Avenues into

(09:26) a supply chain attack so I'm going to sort of been comparing like I'm only going to go over the US response lightly but is it even fair to compare the US and the EU and how they respond to um open source security well there's a huge big differences you know political structures we have we don't really have that executive branch that can just do things like the US can and member states are their own country there's loads of different languages and the US

(10:03) federal government has control over more areas of of um than the ages like the military and health but I think it's kind of fair I think it's fair they have similar sizes values and cyber threats to your critical infrastructure and they've similar threats to their critical infrastructure on their citizens and also the EU and the US they have similar sticks and carrots they have like you know a big amount of money for funding and they also have fines available so um their responses can be quite similar yeah so um let's compare them on their

(10:43) sbombs vulnerabilities training and awareness so we'll start with the US so after the solarwinds attack um the U.S the the published this executive order to improve cyber security of software supply chain attacks in May of last year and it really signaled the importance of s-bombs that executive order was for me I thought it was quite um with the team that wrote that really understood how software was built and how important open source was to software they and they didn't do what maybe other organizations would do and say oh we

(11:29) have to take open source out of all our software systems and only use proprietary on Commercial software they understood that open source by being more transparent has the potential to be more secure than commercial software but there needs to be steps to make it more um transparent and securities so on s-bombs they came up with the standardization the minimum elements of an s-bomb and there is a proposal which will for for the any software sold to the US government to contain an s-bomb there's also been a lot of work on

(12:13) promoting the idea of s-bombs oh and did I explain s-bombs because they're software bill of materials so it's like an ingredient list for your product and a lot of that ingredient list will be open source software so it's about telling he's been holding this this um Alan Friedman from Cesar he's been um writing about us bombs talking to people about our spams and being a real evangelist for the use of them on vulnerabilities um the US has like existing infrastructure on dealing with vulnerabilities that it's like more like

(12:51) more advanced more mature than these so they have the national vulnerability database that's actually hosted by a us institution and they have like a vulnerability disclosure policy as well but last year they set up a new bug Bounty program for Department of Homeland and as well as expecting an s-bomb with any software so to the US they also expect the software to not have any vulnerabilities unless there is mitigating circumstances or reasons why you're not vulnerable on the training fund through La this

(13:34) year there was a bill to train federal employees on software supply chain security especially people purchasing software because that's when you're buying software you have so much power in bringing new open source into your system so that's really important and last week the National Security Agency partnered with other agencies to really support a report entitled securing software supply chain for developers and I had some practical ways for developers to write secure code including when um how to

(14:14) bring dependencies into your code but the place where the US was really impressive was their awareness people at the highest levels were talking about open source and open source security and funding the mundane they're starting with the executive order I talked about and like um then it was also after luck for Shell they brought in loads of stakeholders into the White House from open source maintainers they brought in consumers and um of other open source big tech companies and um and they brought them all in and like

(14:54) talked about how can we improve the security of Open Source in particular then they held a hearing in the Senate were like really impressive people came more aggressive than they came to talk about um love for shell and how to prevent another open source vulnerability in the future generously the head of sisa talked about log fresh out being the most serious vulnerability she's ever seen so they've really brought the awareness to the highest levels of um and this this is not nothing it's sort of like the US is soft power to

(15:33) influence change so what is the awareness done well there's been lots of there's been announcements about Arthur Omega this week I think at this conference um there's the open source software security mobiles like mobilization plan There's real money behind these projects and it's funded by big tax it's not actually funded by the US government but it's um they've made huge moves to improve open source security and actionable things that they're actually going to do with money behind us

(16:07) there's also really um invigorated work in the area open ssf has like super active working groups talking about open source security and the amount of contributions from six store a project on open ssf to make signing software simpler so it's really activated individuals and organizations to solve this huge problem so before I talk about the eu's response we'll just um give you some background so the EU in the last few years has like had this big push for digitalization and interoperability and they've talked about it in the State

(16:55) of the Union addresses the last few years one of the one of the big legislations around cyber security has been niz the network Network information security stuff like that and that came in that was the first bit of legislation on cyber security they came in 2016 so it's quite recent and niz 2 has just gone through Parliament likely to be published next year it's a directive and the aim of it is to increase the minimal level of cyber security in member states so part of that is they've listed out they've the member states have to list

(17:36) out all the private and public organizations that are really important to your the member states critical systems and they've put obligations on those organizations or companies so there has been um some criticism on this saying that there's there's too much of a differentiation between member states some member states have taken it really seriously and they've like listed out all of their hospitals and all this kind of thing but um others have barely listed any organization so there is a huge difference in how member states have

(18:17) reacted to this and that's because it's a directive you know you have to still transpose that into the member states law but in this two kind of tighten that a bit more than the originalness so we should see more alignment over the next few years as it's Gonna Roll Out there's been a lot of other legislation like we've all heard of gdpr and that's implemented Dura banking it's just been published there's something on AI that's been published and seem to be published maybe next week is this cyber resilience act

(19:00) um which should be for iots and that should be that should have something on supply chain security but we'll wait wait for it to be seen another thing is that the EU has updated its open source strategy in 2020 and as part of that it opens up an ospo office in the um the eu's basically their it department so the hospital office for the commission and they're real gem their whole point is to um they're all good there I have their their ultimate goal is to change the mentality of the EU commission to change

(19:39) culture and embrace open source in terms of practices and tools because people are sometimes afraid to use open source they don't know if they're allowed they write software that would be um that would be other people could use but they don't really know the mechanisms for publishing it and they so they've really um promoted the open source culture within the EU Commission and this is how to look by Miguel Diaz Blanco so now let's talk about the eu's response to securing open source software

(20:17) so with respect to cyber's um s-bombs the Cyber resilience act that I talked about which should be published soon will probably mention s-bombs the Cyber resilience Act is going to be about iots and like sort of uh Hardware that's hard to update the software embedded systems that kind of thing and if you look at the feedback I don't know what's actually going to be in it but they I've seen some content arranged is about the software supply chain and that kind of thing and there's you can

(20:49) see um feedback from the public and that talks about s-bombs it talks about salsa which is a framework for securely building software so it'll be interesting to see what's in that on vulnerabilities the osbo office that I talked about they've created an inventory of all the open source used within the commission and they've also developed a methodology for um for for prioritizing your inventory which can be replicated they've surveyed maintainers of Open Source software critical it's the EU

(21:28) commission like Apache live XML curl and ask them what they needed to secure their software and it's kind of what we've all heard it's we need more funding we need more contributions and they specifically ask for help with regard to security and they wanted help from the cyber security agencies and member states cyber security agencies on vulnerabilities again the um the directives news and this too that's recently gone to Parliament they have created a list of critical sectors in the EU both public and private

(22:07) and there will be requirements um the nurse 2 will require these organizations to report security incidents to member states and now there's a coordinator vulnerability disclosure process across the EU and as part of that they'll have a new European vulnerability database so nist 2 should be rolled like next year I think they think it will be gone through plenary and then it'll take another 20 months before it's in um member states rule books another thing that they've done on vulnerabilities is um the book Bounty

(22:46) program this started in 2014 by two MEPS Rita and Anderson after the heart bleed vulnerability so initially it started out as like these two MEPS came to the commission and they said um I'm not going to pass the budget unless you give money towards open source security and they came up with like giving 1 million to um within the ee commission itself but that that would go through go through open source security and it started off as an inventory and it eventually became a bug Bounty program and a hackathons

(23:26) and now the ospo office actually runs both of them so I I think this really illustrates how politics can really move open source security funding and uh like knowledge within the EU on training the European cyber security agency in Nisa is and dedicated to achieving a high level of cyber security across Europe and helps you prepare for a cyber security challenges of tomorrow they hold training days and workshops but there's nothing specific to supply chain security Anisa had a 2021 report on supply chain attacks but they only really touched on

(24:11) how to prevent them and they barely mentioned open source as um a conduit of the attacks on awareness after love for shell the US had all these stakeholder meetings held hearings in the standard they have a s-bomb evangelist um I don't see that kind of awareness within the EU bringing in stakeholders on open source security I couldn't find a hearing in the European Parliament committee on on log for Shell or open source security and maybe that's because the two MEPS I talked about they haven't

(24:53) they didn't get elected again in 2019 so maybe if they were here for love for shall we'd be seeing more awareness within the EU so some of the good stuff in the EU on open source security um their book Bounty program has like found hundreds of books and fix them I hope um the the EU commission's ask for office is a real Shining Light for not just open source security but open source culture in general and I think the news and is to vulnerability disclosure infrastructure will shine a light on vulnerabilities

(25:34) that weren't even disclosed I think a lot of um we don't even know where we are because people just pay the ransomware and then they move on they don't disclose it to their members they don't disclose it to the government so nobody has like an accurate picture on um cyber attacks the bad um so open source maintainers of critical systems are not funded directly to improve security it'd be great to see some funding maybe on I know public repositories now like Pipi and ruby gems they're forcing some of their top

(26:13) contributors to have um 2fa which is great for security but actually supporting that takes a lot of people power and money like if you're resetting to fa you need people to actually look into that and reset it for people it'd be great if we could like if the EU would fund security directly that way or even fund them by if if a container doesn't open it does a security course that they would get money and training behind that there's lots of different ways to fund them directly but it is difficult to kind of get money from the

(26:50) EU another issue is that book banking program that I talked about that's really successful seen running since 2014 it's not a permanent program so it could be dropped any minute the initial sponsors of the program the two MEPS they um they're not elected again so they're now they're looking for new sponsors they're looking they're always looking for funding you know it would be great if they could just concentrate on the good work that they're doing instead of having to look for funding every

(27:17) every year sometimes sometimes they're in a three-year um they have a three-year fund but so permanency would be great so the osbo office is only over the EU commission so when they're doing an inventory of all the open source it's only used in the commission it's nothing to do with critical infrastructure in member states it would be great to um fund ospo offices within member states or to have Anisa the cyber security agency have some control over that and an inventory of all the open source

(27:53) would be excellent you know where to start you know what you're using you can make decisions strategic decisions on that so another thing is s-bombs weren't mentioned by niz and there's two directives and they haven't really been mentioned much in anise's content it'd be great to see more training on s-bombs and maybe niz3 will will mention it and maybe ask for critical systems to provide s-bombs when they're something like that or maybe they'll when you're purchasing software

(28:29) you'll require an sbomb like the US government is looking to do but at the same time I suppose the tools around generating and analyzing s-sponsors quite young so um I can understand why they don't want to put that in legislation yet there's also a lack of training materials and workshops from Anisha it would be great if they could train maintainers if they can train um software developers working in critical systems if they could train procurement officers um so all those things would be great and um so open source security needs to

(29:09) be talked more about Anisa and on committees and MEPS that awareness that the US is bringing I'd love to see that in the EU as well so what's next for the EU and open source security well um for Anisa actually they have advertisements for their security Advisory Board they're looking for people to be on their board and that's ending like the end of this month September the end of the 30th of September so if anybody here is like a open source security expert it'd be great to have that that knowledge on the cyber

(29:55) security agency in Europe unlike really help them understand the problem and invest in it um I'd love for there to be funding available I know the EU was talking about how it wants digitalization and interoperability but that all has to be based on a secure system and a lot of software is based on open source and for and for um literally oh sugar oh sugar sorry it's okay this happens yes I think I've talked so what can I do next I've actually preferred this because I didn't realize I couldn't have my speaker notes

(30:51) [Laughter] so that was just a fake fake out I did that on purpose so uh what can I do next um in the to invest in open source security so what I was talking about there I need I need people to imply apply to the board for Anisa and also I want um people to ask their MEPS what are they doing to secure open source software in critical systems like I was saying the only direct funding towards security of Open Source software has been this book Banky program those two mepses got are gone there hasn't been um any MEPS

(31:29) asking for funding in the same way since they left so we need politicians to understand that problem like during this talk I I contacted me because they got back to me they don't I'm not like an important person MVPs do you want to do the right thing and if we're not talking to them as an individual or as a community well then they're probably going to fill that knowledge either with no knowledge or with like Consultants idea of what they should do so um I'd look for the open source Community to work to it together to

(32:03) Lobby the EU to invest in open source in order to protect critical infrastructure like other special interest groups petitioned their MEPS for attention and funding and the open source Community should do the same so um there's actually I found out today there's this program called digital compass the EU is defining and asking for feedback for its digital Ambitions for 2030.

(32:32) let's make sure that our thoughts are heard too so Ursula Evangeline talked about how the EU should strive to become a leader in cyber security policies on funding and open source in general and our critical systems specifically are important to the growth success and security of the EU so that's well done any questions boom yeah does anyone have any questions yeah other level yeah so I've seen a lot of like interaction between the US and the EU recently on digital matters they have like the EU has opened an office in San Francisco and I think it's mostly still

(33:28) regulation but you know if they're not busy maybe they could they could talk about um open source could be part of that because a lot of like open ssf it has been working with the US governments it'd be great if the EU also works with them on that mobilization plan because all the work that they're going to be doing to improve security for open source in the US will benefit the EU but there's been other toxic communication with the US and the EU are working on improving um digital infrastructure in Africa or

(34:04) something like that I heard that recently so there seems to be a few things happening lining up um so I I'd love to see them working together it would be an absolute it would be so terrible if they came up with their own standard for s-bombs so it's stuff like that would be would be amazing any other questions hey a 12 months um so I think over a software supply chain Security in general um I think it's how we just don't know what software we're using and like if you don't know what you're

(34:55) using you're really you know setting yourself up for failure so that's why I think s pumps are so important because if you know where you are you can make a strategy to incrementally improve but if you don't know where you are then you're just like a sit and joke hey yeah there's there's some member states that are like more advanced than others like um Germany has a nice post some cities have I suppose uh it's mostly in departments they'll have an ospo so um there is I suppose in and in

(35:48) member states but they don't seem to be like at the height you know like they're not like like the Irish government doesn't have a hospital at that high level it seems to be like in stock and departments or maybe they're not even um they don't even call themselves an ospo that's that there is a there is a talk today about ospo's in Europe and it's like oh I wish I didn't have to know any more information I've already written my talk but um yeah they were saying that's where I heard that a

(36:18) lot of uh cities have hospitals I think the city of Amsterdam has warned um open source is uh quite good in in quite mature in in some countries like France Finland Estonia um and it would be great to bring that up too and I know um that digital compass there will be funding going directly to member states it won't surpasses and it'd be great if part of that could be used to fund train and like for travel for events to do with ospers I'd love that.  So that's it thank you! [Applause]