Open Source Software (OSS) Transparency for DoD Acquisition

Abstract

Caveat emptor, or “let the buyer beware,” is commonly attributed to open-source software (OSS)—the onus is on the OSS consumer to ensure that it is fit for use in the consumer’s context. OSS has been compared to an open market bazaar where consumers are free to browse all the source code and take a copy. But there are a few fundamental problems with such an analogy: • The consumer must have the wherewithal and skills to comprehend the source code in a manner that allows them to use it effectively, which might exceed the skills of the myriad authors who produced that software in the first place. • The consumer also lacks the insight into the practices exercised by the authors in the production of that source. Such practices include code quality checks, peer reviews, software testing, and secure software development practices. The burden on the consumer is considerable. Consumers—both individuals and organizations—have access to proprietary and open-source tools to help them analyze source code as a means of understanding what is good and what is problematic if they are aware of and use those tools. What a consumer lacks is an understanding of how OSS differs from other third-party software products. OSS contributors and maintainers may be arbiters for the OSS product, but they are not selling it. Caveat emptor, therefore, applies not only to the OSS product the consumer wants to use, but it also applies to the consumer knowing more about the OSS project, its contributors and maintainers, as well as the processes they follow. To gain that insight, transparency is needed for consumers to have access to the data and information about the OSS project that is meaningful from a software integrity and assurance perspective and suitable for supply chain risk analysis. The Open Source Security Foundation’s (OSSF’s) SLSA2 and CHAOSS3 are initial steps in this space. The Software Engineering Institute (SEI), MITRE Corporation, and the Carnegie Mellon University Open Source Programs Office (CMU OSPO) are currently working on effective measures for supply chain risk management as it pertains to OSS. This collaborative effort is proposing forming a special interest group within the OSSF. This paper shares the results to date in this area of research.