At the Department of Defense Intelligence Information System (DoDIIS) Worldwide Conference 2023 in Portland, Oregon, Tidelift VP of Public Sector, Robert Wickham, sat down with Francis Rose at Fed Gov Today.
The theme of the discussion, "Chaos to Clarity: Leveraging Emerging Technologies," asked industry leaders to share their insights on the balance between innovation and security, to which Robert spoke on open source and its role in the public sector space.
Francis Rose: Robert Wickham, great to see you. Thanks for joining me. What do you see for the organizations that are driving innovation well? In the Defense Department, in the NatSec community, how are they doing it? What's the common thread that you've seen among what those organizations are doing?
Robert Wickham: From my perspective, living in the app dev world, we see a lot of dependency on open source software to really spur innovation. These tools are created to solve problems before they become big problems. They can be released quicker. They solve emerging problems and address emerging challenges. And there's a lot of very smart people that are creating these tool sets and these applications to really advance their mission objectives around various applications to support, particularly here at DoDIIS, the warfighter.
Francis: Before we turn the cameras on, you talked about the fact, though, that there is a flip side to that, and there are things that organizations need to be careful about, regarding a reliance on open source software. What is that flip side?
Robert: Yeah, so there has been a lot of policy and guidance this particular year addressing just that point. CISA open source security roadmap, the OMB memos, M-22-18 and M-23-16. Even the National Cybersecurity Strategy talks about safe ways, better ways to adopt open source. There's concern that our adversaries are potentially inserting malicious code into open source repositories as a way to insert attack surface, if you will, into the app dev pipeline. So we see a lot of these things and we're working to try to make it easier and more manageable, and even automate some of the ways that open source can be adopted securely.
Francis: Those are some of the challenges that folks, I want to say it's 5, 6, 7 years ago, when open source really, really gained a lot of momentum inside the Defense Department in particular. Those were the reasons that folks gave as to why the Department should avoid using open source software. Are we far enough do you think as a community beyond those concerns, not to stop thinking about them, but to stop using that as a potential reason to go back to the way that people used to develop software?
Robert: It's a good thought—I'm not sure that we can ever truly get away from open source. It takes commercial organizations, if you think about how long it takes for them to go through the QA process—months, some cases, years to add features. There's also an advantage to open source and that I can own the source code, and I can manipulate it in a way that may not be publicly known, thereby making it potentially more secure. So I know there was guidance kind of away from that, if you remember, a couple years before that there was a big push to adopt open source. So, I think like anything else, it ebbs and flows. I think the tools are getting better. I think the policy is getting clearer. I think the hygiene around the best practices to adopt open source in a secure manner are getting better. So I don't see it going away. I think the concerns will remain but the techniques to defeat those concerns are evolving along with the use cases to support it.
Francis: How would you like to see those techniques, policies, and so on continue to evolve? To really solidify the position of open source software.
Robert: So I personally believe that we're doing a good job today with container hardening and scanning everything all the time. I think there's a case to be made that securing open source upstream, better raw materials in, provide what I refer to as a vulnerability prevention approach- so if they follow the NIST secure software development framework, even these free open source maintainers, and they make sure that they are coding with the best hygiene and best security tools, then it's less likely that vulnerabilities are developed over time. I mean, transparency scanning gets better, we understand the transitive dependencies better—we get a better idea of what's in these particular packages, thereby allowing us to make better decisions as to whether to include them or not include them.