<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Tidelift VP of Public Sector Robert Wickham on open source and innovation with Fed Gov Today

At the Department of Defense Intelligence Information System (DoDIIS) Worldwide Conference 2023 in Portland, Oregon, Tidelift VP of Public Sector, Robert Wickham, sat down with Francis Rose at Fed Gov Today. 

The theme of the discussion, "Chaos to Clarity: Leveraging Emerging Technologies," asked industry leaders to share their insights on the balance between innovation and security, to which Robert spoke on open source and its role in the public sector space. 

Transcription

Francis Rose: Robert Wickham, great to see you. Thanks for joining me. What do you see for the organizations that are driving innovation well? In the Defense Department, in the NatSec community, how are they doing it? What's the common thread that you've seen among what those organizations are doing?

Robert Wickham: From my perspective, living in the app dev world, we see a lot of dependency on open source software to really spur innovation. These tools are created to solve problems before they become big problems. They can be released quicker. They solve emerging problems and address emerging challenges. And there's a lot of very smart people that are creating these tool sets and these applications to really advance their mission objectives around various applications to support, particularly here at DoDIIS, the warfighter.

Francis: Before we turn the cameras on, you talked about the fact, though, that there is a flip side to that, and there are things that organizations need to be careful about, regarding a reliance on open source software. What is that flip side?

Robert: Yeah, so there has been a lot of policy and guidance this particular year addressing just that point. CISA open source security roadmap, the OMB memos, M-22-18 and M-23-16. Even the National Cybersecurity Strategy talks about safe ways, better ways to adopt open source. There's concern that our adversaries are potentially inserting malicious code into open source repositories as a way to insert attack surface, if you will, into the app dev pipeline. So we see a lot of these things and we're working to try to make it easier and more manageable, and even automate some of the ways that open source can be adopted securely.

Francis: Those are some of the challenges that folks, I want to say it's 5, 6, 7 years ago, when open source really, really gained a lot of momentum inside the Defense Department in particular. Those were the reasons that folks gave as to why the Department should avoid using open source software. Are we far enough do you think as a community beyond those concerns, not to stop thinking about them, but to stop using that as a potential reason to go back to the way that people used to develop software?

Robert: It's a good thought—I'm not sure that we can ever truly get away from open source. It takes commercial organizations, if you think about how long it takes for them to go through the QA process—months, some cases, years to add features. There's also an advantage to open source and that I can own the source code, and I can manipulate it in a way that may not be publicly known, thereby making it potentially more secure. So I know there was guidance kind of away from that, if you remember, a couple years before that there was a big push to adopt open source. So, I think like anything else, it ebbs and flows. I think the tools are getting better. I think the policy is getting clearer. I think the hygiene around the best practices to adopt open source in a secure manner are getting better. So I don't see it going away. I think the concerns will remain but the techniques to defeat those concerns are evolving along with the use cases to support it.

Francis: How would you like to see those techniques, policies, and so on continue to evolve?  To really solidify the position of open source software.

Robert: So I personally believe that we're doing a good job today with container hardening and scanning everything all the time. I think there's a case to be made that securing open source upstream, better raw materials in, provide what I refer to as a vulnerability prevention approach- so if they follow the NIST secure software development framework, even these free open source maintainers, and they make sure that they are coding with the best hygiene and best security tools, then it's less likely that vulnerabilities are developed over time. I mean, transparency scanning gets better, we understand the transitive dependencies better—we get a better idea of what's in these particular packages, thereby allowing us to make better decisions as to whether to include them or not include them.

Resources to get you started

2024 recommendations to proactively reduce open source risk

2024 recommendations to proactively reduce open source risk

An overview of IDC research and current recommendations for application development and security leaders to improve open source resilience and reduce risk
Watch now
The guide to managing open source software risk with Tidelift

The guide to managing open source software risk with Tidelift

Want to understand the best practices for responsibly using open source components in your organization? Learn how to proactively reduce risk, improve security, and use open source with confidence with the Tidelift Subscription.
Download now
Upstream

Upstream

A free one-day celebration of open source, the developers who use it, and the maintainers who create it
Register now
See More Resources

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.