Open source software has long been touted as the antidote to monolithic, buggy, and security-challenged software packages developed by the industry’s 800-pound gorillas.

But a presentation from the National Security Agency (NSA) during a technology symposium last week presented a stark warning for the proponents of open source software: Get your house in order because sooner or later government and industry customers are going to demand verifiable information about where your software came from, who developed it, who had access to the code, and whether or not you can vouch for its security.

“Eventually, it’s going to get to the point where consumers are going to start demanding visibility into the provenance of the software that they base their missions on and that they depend on,” said Neil Ziring, the Technical Director for the NSA’s Information Assurance Directorate. “And everybody in that supplier base needs to be ready to be a part of that.”

The central message of Ziring’s presentation at the Red Hat Government Symposium, held in Washington, D.C. on Oct. 23, was that hackers are increasingly targeting new devices and software applications indirectly and earlier in their development cycles. He pointed to the highly sophisticated hacker attack in 2011 that targeted the SecureID tokens developed by RSA Security The compromise was later linked to a serious breach of a virtual private network (VPN) operated by defense contractor Lockheed Martin.


“Part of [hackers'] increase in sophistication is going after whatever point in the lifecycle is going to make their ultimate pursuit of the value chain easier,” said Ziring. “They weren’t after RSA in particular they were after something that was going to make their lives easier in the future.”

During his presentation, Ziring acknowledged the challenges posed by globalization – one of the foundations of the open source community, in which coders from all around the world contribute to development, debugging, and feature design.

“Unfortunately, there’s little incentive for the thing-makers to make them secure. And they’re going to constitute a huge attack surface going forward,” he said.

“True trust foundations are going to be the ultimate answer,” said Ziring. “Many, many machines you buy these days, especially end point machines, have TPMs (Trusted Platform Module) in them. And we’re starting to see that sort of thing in mobile platforms and for servers,” added Ziring. “And that ability to measure and attest to the integrity of what you’re running or what you’re about to run is going to become crucial in the fight against full custom malware.”

Another part of the solution for the open source community is going to be reputation, said Ziring, adding that the commercial software industry is well ahead in being able to demonstrate provenance. “And that is an area where I think the open source community could be more fully engaged,” he said. “Not necessarily do we need an open source reputation cloud or something,” said Ziring. But “open source needs to be a little more engaged in being able to say “hey, this is my piece of software, I developed it, I’m selling it … it’s known good.”