CISA’s ‘Secure by Design:’ How developers can lead the charge in open source security

Watch this video to learn why software manufacturers must own security responsibility.

Jack Cable, Senior Technical Advisor at CISA (Cybersecurity and Infrastructure Security Agency), discusses how the software industry can improve security, focusing on the role of open source software. Drawing a parallel with the auto industry’s evolution in safety, Jack argues that just as car manufacturers eventually prioritized safety, software makers must do the same to reduce vulnerabilities. Despite the persistence of basic vulnerabilities like SQL injection, Jack believes these can be eliminated through consistent effort and adopting secure design principles. CISA’s “Secure by Design” principles guide software makers to take responsibility for their products’ security.

Jack stresses that software security should not fall on end-users but should be managed by the manufacturers. Tech companies, especially those benefiting from open source, must prioritize security and contribute to the ecosystem. This shift is central to the U.S. National Cybersecurity Strategy, which calls on tech companies to take more responsibility for securing their products. In October 2023, CISA and 17 international cybersecurity agencies issued guidance on adopting these principles, advocating for transparency, accountability, and leadership from the top down.

The discussion then shifts to open source software. Jack explains that as open source becomes integral to technology, companies must not only use it responsibly but also help secure it. CISA’s Open Source Software Security Roadmap lays out a plan to collaborate with the open source community, measure risks, and secure package repositories. The idea of an Open Source Program Office (OSPO), already in use by some federal agencies, is highlighted as a way to manage the secure use and contribution to open source software.

Jack also addresses the growing importance of open source AI. While open source AI models foster innovation, Jack calls for full transparency, which should include not just model weights, but also training data and source code. This level of openness is essential for identifying and mitigating vulnerabilities in AI models, much like in traditional open source software.

Key takeaways

• Responsibility for security: CISA’s “Secure by Design” initiative encourages tech companies to prioritize security, emphasizing that security ownership should shift from end-users to manufacturers, with leadership driving security from the top.
  
• Securing open source: Companies must be responsible consumers and contributors to open source software. This includes supporting initiatives like the Open Source Software Security Roadmap to enhance collaboration, measure risks, and secure repositories.
  
• Transparency in open source AI: Full transparency in open source AI is crucial for security. Open source AI models should include not just model weights, but also training data and source code, enabling thorough analysis and vulnerability assessment.

Conclusion

Jack Cable’s presentation underscores the need for software manufacturers to take proactive steps in securing their products, especially in the open source ecosystem. By adopting CISA’s “Secure by Design” principles, companies can reduce common vulnerabilities and create more resilient systems. Collaboration with the open source community is key to securing the technology that underpins much of our daily lives. As the rise of open source AI introduces new security challenges, transparency and responsible practices will be essential to ensuring that AI remains secure and beneficial to all.

More from We Love Open Source

• Get started with gokrazy: Simple self-hosting on Raspberry Pi
• How to install and utilize Open WebUI
• Maximize your Mastodon experience: Top open source I’ve tried
• 3 LinkedIn strategies every developer needs to optimize their profile