There are many misconceptions about the safety and security of open source software. For those used to proprietary software solutions that are managed by a central vendor, the transparent ethos of open source can seem risky and disconcerting. History and research have demonstrated that this is not the case.
The transparent nature of open source makes it easier to identify security vulnerabilities early and to remedy them quickly. An entire ecosystem of tooling also exists to help open source developers ensure their code is secure from the start, and for end users to verify that security before implementation of source code. These include security scorecards, Software Bills of Materials (SBOMs), authorization and authentication policies, the Secure Supply Chain Consumption Framework (S2C2F), software signing, and more.
This session will provide an overview of the current and planned CISA activities to secure OSS and improve visibility into its usage and trustworthiness, allowing you to take advantage of the benefits of open source while reducing overall security risks.
