Recently, the Log4j vulnerability demonstrated how this impacts open source software in its own special way. Simply put, if everyone is using a particular open source component in their software, a vulnerability in that component is going to impact many pieces of software. Hence, the success of open source software bears risks: centralisation onto a single solution can create single points of failure. 

This was discussed recently at the highest level within the United States government: at a meeting at the White House, leaders from the government and the private sector came together to discuss how, in the face of many pieces of open source software becoming de-facto critical infrastructure, its security can be increased. The White House is not the only one paying attention to the issue.

The European Parliament and European Commission, for instance, have recently launched the FOSSEPS initiative, which will, amongst other objectives, create an inventory of Europe’s most critical open source software used by European Public Services. The French national agency for the security of information systems, ANSSI, in turn, contributes to the development of the OpenCTI project (Open Cyber Threat Intelligence), in cooperation with CERT-EU, the EU’s Computer Emergency Response Team.

There are plenty more examples to give, but one question is whether the Log4j incident might have a chilling effect on the adoption of open source software in critical software. One way to answer this question is to look at the new open source software policy of the US Department of Defence (DoD). This new policy, adopted roughly a month after the Log4j vulnerability became public, commits the public authority to preferring open source software over proprietary software. The DoD, not foreign to security concerns, includes an assessment of security challenges related to open source software and how to mitigate them and points out that openness in software development actually plays an important role in mitigating security risks.

Open source software has now arrived as an important subject at the highest political levels. It is clear that security vulnerabilities affect all types of software. Yet, the openness in the development of open source software might make it more robust. Therefore, the most critical question is whether the necessary development and maintenance practices are in place to alleviate the security risks and achieve a high level of cybersecurity.

The OSOR team