Report Endnotes

Securing Open Source Software at the Source

Creating a Center for Open Source Software Infrastructure and Security

  1. In software engineering, the codebase is the collection of source code used to build a software system — like the bricks of a building.
  2. Synopsys, “2021 Open Source Security & Risk Analysis Report,” https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-2021.pdf
  3. “Cyberspace Solarium Commission Report,” March 2020, http://fdd.org/wp-content/uploads/2020/03/CSC-Final-Report.pdf
  4. For a full definition of “open source software,” see Appendix A of the Federal Source Code Policy, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_21.pdf
  5. “Usage statistics of Linux for websites,” https://w3techs.com/technologies/details/os-linux
  6. The MITRE Corporation, “Use of Free and Open-Source Software in the U.S. Department of Defense,” Jan. 2, 2003, https://dodcio.defense.gov/Portals/0/Documents/FOSS/dodfoss_pdf.pdf
  7. Synopsys.
  8. Netcraft, “Half a million widely trusted websites vulnerable to Heartbleed bug,” Apr. 8, 2014, https://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
  9. FTC, “Equifax Data Breach Settlement,” Jan. 2020, https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
  10. Brian Barrett, “How 4 Chinese Hackers Allegedly Took Down Equifax,” Feb. 10, 2020, https://www.wired.com/story/equifax-hack-china/
  11. CISA, “Top 10 Routinely Exploited Vulnerabilities,” May 12, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-133a
  12. Greg Walden and Gregg Harper. “Letter to Mr. Zemlin,” https://web.archive.org/web/20180422034612/https://energycommerce.house.gov/wp-content/uploads/2018/04/040218-Linux-Evaluation-of-OSS-Ecosystem.pdf
  13. The White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 12, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  14. James Turner, “Open source has a funding problem,” Jan. 7, 2021, https://stackoverflow.blog/2021/01/07/open source-has-a-funding-problem/
  15. The Linux Foundation and The Laboratory for Innovation Science at Harvard, “2020 FOSS Contributor Survey Report,” https://www.linuxfoundation.org/wp-content/uploads/2020FOSSContributorSurveyReport_121020.pdf
  16. Liran Tal, “Open source maintainers want to be secure, but 70% lack skills,” Feb. 26, 2019, https://snyk.io/blog/open source-maintainers-want-to-be-secure-but-70-lack-skills/
  17. The Linux Foundation and The Laboratory for Innovation Science at Harvard.
  18. National Critical Functions (NCFs) define functions of government and the private sector that represent the most strategic risks of the nation. See: CISA, “National Critical Functions,” https://www.cisa.gov/national-critical-functions
  19. CVSS is a framework for describing the characteristics and severity of software vulnerabilities. See: NVD, “Vulnerability Metrics,” https://nvd.nist.gov/vuln-metrics/cvss
  20. NVD is a U.S. government database of vulnerability data that is available to the public. See: NIST, “National Vulnerability Database (NVD),” https://www.nist.gov/programs-projects/national-vulnerability-database-nvd
  21. The Census Program identifies commonly used free and open source software components and examines them for vulnerabilities. See: “Vulnerabilities in the Core,” https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2020/02/census_ii_vulnerabilities_in_the_core.pdf
  22. The Criticality Score is an effort to rate open source projects based on how critical they are to the entire community. See: Google Open Source Project, “Finding Critical Open Source Projects,” https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html
  23. Tim Graham, “Django Fellowship Program: 2016 retrospective,” Dec. 28, 2016, https://www.djangoproject.com/weblog/2016/dec/28/fellowship-2016-retrospective/
  24. “Cyberspace Solarium Commission Report,” March 2020, http://fdd.org/wp-content/uploads/2020/03/CSC-Final-Report.pdf
  25. “Homeland Open Source Technology Fact Sheet,” July 29, 2015, https://www.dhs.gov/publication/ST-homeland-open-source-technology
  26. CISA, “CISA Invests in Cutting-Edge Election Security Auditing Tool Ahead of 2020 Elections,” Nov. 21, 2019, https://www.cisa.gov/news/2019/11/21/cisa-invests-cutting-edge-election-security-auditing-tool-ahead-2020-elections
  27. European Commission, “EU-FOSSA 2 Deliverables,” https://joinup.ec.europa.eu/collection/eu-fossa-2/eu-fossa-2-deliverables
  28. European Commission, “EU-FOSSA 2 - the EU’s open source cybersecurity project ends,” July 14, 2020, https://ec.europa.eu/info/news/eu-fossa-2-eus-open-source-cybersecurity-project-ends-2020-jul-14_en
  29. Ford Foundation, “Critical Digital Infrastructure Research,” https://www.fordfoundation.org/campaigns/critical-digital-infrastructure-research/
  30. Chan Zuckerberg Initiative, “Essential Open Source Software for Science,” https://chanzuckerberg.com/eoss/
  31. Shane Greenstein and Frank Nagle, “Digital Dark Matter and the Economic Contribution of Apache,” Oct. 2013, Research Policy, 43(4), 623-631, https://doi.org/10.1016/j.respol.2014.01.003
  32. GFDDR, “Open Data for Resilience Initiative & GeoNode: A Case Study on Institutional Investments in Open Source,” 2017, https://opendri.org/wp-content/uploads/2017/03/OpenDRI-and-GeoNode-a-Case-Study-on-Institutional-Investments-in-Open-Source.pdf
  33. Frank Nagle, “Government Technology Policy, Social Value, and National Competitiveness,” Mar. 21, 2019, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3355486
  34. Frank Nagle, “Why Congress should invest in open source software,” Oct. 13, 2020, https://www.brookings.edu/techstream/why-congress-should-invest-in-open source-software/
  35. Trey Herr, et al., Mar. 29, 2021, “Broken trust: Lessons from Sunburst,” https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst