Driving Policy To Secure the Open Source Ecosystem - Jack Cable, Corridor

Presenters

Jack Cable

Source

OpenSource SecurityCon NA 2025

Securing the Digital Foundation: How Policy and AI are Reshaping Open Source Security 🚀

Hey tech enthusiasts! Ever stopped to think about the invisible scaffolding that holds up so much of our digital world? That’s right, we’re talking about open-source software (OSS). And as the digital landscape evolves at lightning speed, so too must our approach to securing this vital foundation. Jack Cable, co-founder and CEO of Corridor, recently shared some fascinating insights on how government policy and the rise of AI are dramatically changing the game for OSS security. Let’s dive in! 🌊

🏛️ The Government’s Shifting Stance: From Laggard to Ally

Historically, the government, despite being one of the biggest users of OSS, was a bit slow on the uptake when it came to actively securing it. But times are changing! Jack Cable, with his firsthand experience at CISA and on Capitol Hill, highlights a move towards a more proactive and supportive role for the government, aiming to strengthen the entire OSS ecosystem rather than just imposing regulations.

Key Milestones That Sparked Change ✨

Federal Source Code Policy (2016): This was a crucial first step, encouraging federal agencies to get a handle on their source code, including sharing it internally and even contributing some to the open-source world. While a positive move, the security aspect of OSS didn’t get as much spotlight initially.
Log4j & Heartbleed Wake-Up Calls 🚨: These massive, system-crippling vulnerabilities served as undeniable, and frankly terrifying, reminders to policymakers about the critical importance and inherent risks within OSS. They reignited the urgency to address OSS security head-on.
The “Securing Open Source Software Act” (Proposed) 📜: Jack Cable was a champion for this bill, which aimed to:
- Empower CISA: Give CISA the primary mission of securing the OSS ecosystem, recognizing it as fundamental to our nation’s critical infrastructure.
- Understand Federal OSS Use: Mandate the Office of Management and Budget (OMB) to provide guidance on managing OSS risks and pilot Open Source Program Offices (OSPOs) within agencies. These OSPOs would be instrumental in managing how agencies use and contribute to OSS.
- Dodge Bad Ideas: Cable actively pushed back against proposals like mandatory identity verification for OSS developers, which could have had a devastating impact on the global OSS community.
- Real-World Impact: Even though the bill didn’t become law, many of its core principles have since been integrated into subsequent government actions.
White House & Rust Memory Safety 🛠️: A significant win was a provision Jack helped embed into an appropriations bill, mandating a report on memory safety. This successfully pushed memory safety to the forefront of policy discussions. This has led to exciting initiatives like DARPA’s Tractor project, which aims to translate C code to Rust. Why? Because a whopping two-thirds of vulnerabilities in memory-unsafe languages stem from memory-related issues.
National Cybersecurity Strategy 🌐: This strategy emphasizes shifting the burden of security from end-users to the technology manufacturers. For OSS, this means encouraging companies that heavily rely on OSS to contribute more to its security.

💡 Executive Branch Initiatives: Action in Motion

The executive branch isn’t just talking; it’s taking action!

CISA’s “Secure by Design” White Paper: This important document urges tech companies to proactively reduce vulnerabilities by adopting practices like using memory-safe languages.
CISA’s Open-Source Software Security Roadmap 🗺️: This roadmap is a comprehensive plan focusing on:
- Integration with OSS Communities: CISA is actively collaborating with groups like OpenSSF to create standardized security practices for OSS package repositories.
- Federal OSS Cataloging & Improvement: Understanding and enhancing the government’s own extensive use of OSS.
- Securing Package Repositories 💾: Recognizing that many essential OSS infrastructure components are hosted by resource-constrained non-profits, CISA, in partnership with OpenSSF, has published crucial guidance on package repository security.
- Communication & Incident Response 📡: Establishing clear channels for coordinated responses to security incidents, drawing valuable lessons from real-world compromises.

🤖 AI: The Double-Edged Sword of OSS Security

The advent of Artificial Intelligence is ushering in a new era for OSS, bringing both incredible opportunities and significant challenges.

Open Source AI 🧠: The call is for open-sourcing not just model weights, but also training data and source code. This is crucial for creating truly reproducible and verifiable AI models.
AI-Generated Code 👨‍💻: As AI gets better at writing code, we’re likely to see a massive surge in the volume of OSS. However, current benchmarks indicate that AI models can still introduce vulnerabilities. The key challenge here is ensuring that AI-generated code is built with security from the very beginning, embracing those “secure by design” principles we’ve been talking about.

🤔 The Road Ahead: Challenges and Opportunities

While progress is undeniable, the path forward isn’t without its bumps.

US Policy Uncertainty ❓: The future of US OSS security policy is still a bit of a question mark. Concerns linger about potential setbacks due to layoffs and budget cuts that could impact CISA’s vital OSS initiatives.
Global Collaboration is Key 🌍: Developments like the EU’s Cyber Resilience Act are significant. Active participation in global efforts is absolutely crucial for shaping sensible and effective standards.
Bridging the Tech-Policy Gap 👨‍⚖️: There’s a persistent need for more technical expertise within policymaking circles. Programs like Tech Congress are vital in bridging this gap.
Sustaining Vulnerability Discovery and Fixing 🎯: The discovery of the FFmpeg vulnerability by Google sparked important conversations about the responsibility of large companies. It’s not enough to just find vulnerabilities; companies need to be equally committed to fixing them and making those patches readily available.

Jack Cable’s overarching message is powerful: the government should act as a contributing community member, not just a regulator. And as AI increasingly enters the coding arena, we must ensure that the code it produces is inherently secure, built with the principles of “secure by design” at its core. The future of our digital world depends on it! ✨

Securing the Digital Foundation: How Policy and AI are Reshaping Open Source Security 🚀#

🏛️ The Government’s Shifting Stance: From Laggard to Ally#

Key Milestones That Sparked Change ✨#

💡 Executive Branch Initiatives: Action in Motion#

🤖 AI: The Double-Edged Sword of OSS Security#

🤔 The Road Ahead: Challenges and Opportunities#

Appendix#