The use of open-source software often comes with hidden security and maintenance risks. (Photo: Markus Spiske on Unsplash)
This article was contributed by Matthew Arnow, Head of Public Sector Solutions at Tidelift.
How Avionics Firms Using Open-Source Software Should Prepare as Government Cybersecurity Deadlines Approach
Over the past decade, all industries—including the aviation industry—have seen a large increase in the amount of open-source software being used in applications. Open source has, in many ways, become the modern software development platform, with some studies showing that upwards of 90% of applications contain open-source components.
Open-source usage is increasing for good reason. Open source increases developer productivity, accelerates development and deployment, and reduces application development costs. However, it often comes with hidden security and maintenance risks including internal open-source security and maintenance and external open-source software supply chain resilience challenges.
Growing number of software supply chain attacks
We’ve seen a barrage of open-source software supply chain related vulnerabilities over the last few years. Starting with Heartbleed in 2014, there has been a steady increase in critical vulnerabilities, including Log4Shell, Spring4Shell, and most recently, Text4Shell. Log4Shell in particular had a significant financial impact across the board with one federal cabinet department reporting that they dedicated 33,000 hours to the vulnerability response. Each vulnerability continues to highlight the need for organizations to implement proactive approaches to maximizing the health and security of the open source powering their applications.
The U.S. government is now taking action to set higher cybersecurity standards
These continued vulnerabilities have exposed the nation's critical infrastructure to potential attacks by bad actors. The government has taken notice, and in May 2021 the White House issued Executive Order 14028. This order was designed to use the U.S. government’s substantial purchasing power to level up the entire software industry’s cybersecurity standards.
As directed by the Executive Order, the National Institute of Standards and Technology (NIST) published specific guidance on secure software development standards (including for third-party software) in the following documents:
Additionally, in September of 2022, the Executive Office of the President, Office of Management and Budget announced memorandum M-22-18. Per this memorandum, any organization that sells software to the government will be required to self-attest that their software complies with the NIST guidelines as soon as June 2023 for critical software and September 2023 for all other software. Moving forward, federal agencies will only be able to procure software provided by software producers who attest to complying with the NIST guidance and U.S. federal agencies will require software producers to provide a software bill of materials (SBOM) and documented processes to validate code integrity. Further, self-attestation will be the minimum level required, but some agencies may make risk-based determinations that a third-party assessment is required due to the criticality of the software.
Impact on the aviation industry
Open-source software has already experienced large-scale adoption in the aviation industry, as it has in most other industries.
At the same time, the aviation industry has also seen its share of software-related issues. Most recently, the FAA issued a ground stop order as a result of what appeared to be a software maintenance-related breakdown costing taxpayers and the airline industry millions of dollars and unquantifiable lost time. Southwest Airlines’ recent software-related holiday meltdown that led to significant delays and cancellations is another example of the important role software plays in keeping the aviation industry running smoothly and on track.
While neither of these examples are specifically related to open source, with open source playing an increasingly prevalent role in the aviation industry, and increasing government regulations around cybersecurity coming, preparing for and planning in advance for software maintenance and security issues in open source will take on even more prominence.
The critical role of open-source maintainers in complying with government cybersecurity guidelines
Companies in the aviation industry selling software to the government that include open-source software components need to pay particular attention to federal self-attestation requirements outlined above as they continue to emerge. To comply with self-attestation requirements, organizations must better understand the security practices of the open-source software they are building into their applications.
Yet the so-called open-source software supply chain is not a traditional supply chain in that open-source maintainers typically do not have a business relationship with their users and license their software “as-is” with no warranty. Because many open-source maintainers are volunteers, expecting them to do more work to ensure their components meet these new standards is not a given.
The critical questions organizations should be asking themselves are:
- How do we attest to the security practices of open-source software we use, but is produced and maintained by volunteer maintainers?
- Do the volunteer maintainers have all the support they need to understand these new guidelines and practices?
- Are they able to commit the time and effort needed to do the work of implementing the necessary guidelines and practices?
The aviation industry should look for solutions that are built around open-source maintainers and the critical role they play both now and into the future. The best way to ensure the industry has reliable answers to these questions is by providing financial and non-financial support to open-source maintainers so they have the time and incentives they need to undertake the work needed to align their projects with the ever growing body of security and maintenance standards required by the industry and government alike.
Matthew Arnow is Head of Public Sector Solutions at Tidelift. He previously engaged directly with consumers and large enterprises in the mobile technology space for 17 years.