Pentagon Targets Open Source Security Risks in Software Procurement Overhaul

The Department of Defense is revamping its "outdated" software procurement systems through a new Software Fast Track initiative. The SWFT program aims to reform how software is acquired, tested, and authorized with security as the primary focus. "Widespread use of open source software, with contributions from developers worldwide, presents a significant and ongoing challenge," DoD CIO Katie Arrington wrote in the initiative memo.

The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts. The initiative will establish verification procedures for software products and expedite authorization processes. Multiple requests for information are running until late May seeking industry input, including how to leverage AI for software authorization and define effective supply chain risk management requirements.

The push comes amid recent DoD security incidents, from malware campaigns targeting procurement systems to sensitive information leaks.

Paying back the bribes

[greytree]

Bribers gotta get paid.

Ermahgerd! Erhpin Serhss!

[Anonymous Coward]

The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts.

Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Sensible vs reality

[DrYak]

Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Yup.

The sensible things to do:
Contribute -- both financially and by having coders on your own payroll -- to LTS versions of opensource projects, that you audit for security and contribute back to the development.
The whole planet would benefit from these improvements.

What they are actually going to do:
Microsoft is going pay some bribes to make sure that their latest crap -- huh, sorry, Microsoft Copilot 365 Crap ME (Military Edition) -- is the official "tested and authorized" software.
A few rich guys will get richer.

Re:

[drinkypoo]

The whole planet would benefit from these improvements.

That's exactly why they won't do it. Anything that benefits others is bad in their opinion, even if it benefits them too and ultimately leads to others doing things that benefit them even more. A rising tide lifts all ships, and that's a terrible thing to a corporatist.

Re:

[sabbede]

Well, no, that wouldn't be a terrible thing to a corporatist, but then you're not using that term correctly. It does not refer to corporations, it refers to the entirely unrelated term "corporatism". A corporatist would see that as part of the process of negotiating a "best for everyone" outcome. At least in theory. In practice corporatism has usually been more about State command of industrial sectors.

Re:

[wagnerer]

And MS is going to package up the open source software in libraries to embed in their code.

Re:

[Entrope]

Or they could... Perhaps... Read the code?!

That's exactly what TFS says they are doing:

he initiative will establish verification procedures for software products and expedite authorization processes.

Between clearly malicious things like the xzutils back door and apparently unintended faults like Apple's "goto fail", there are legitimate security concerns. Contracts for software development or purchase/licensing can include terms that reduce the risk of those mistakes, but using open source code directly doesn't have a contractor who can accept those terms.

Re: Ermahgerd! Erhpin Serhss!

[Lobotomy656]

Did you read the quote you used? This is pure BS corpo speak. They want to both increase security, be more thorough but also expedite the process. These things are mutually exclusive.

Re:

[zlives]

unless they maintain a verified and continually updated code repository for development... maybe thats what SWFT is?
i am just wondering if there is a budget for that initiative.

Re:

[Entrope]

It is pure government bureaucrat speak, at least. They are extremely risk-averse, so they want coverage -- either in terms of contract terms (that probably don't do much except make them feel better) or in terms of paperwork for "assurance" and "authorization".

This does push companies to provide service level agreements for support (typically 8x5 or 24x7, depending on exposure of the software) but a lot of the other security assurance/authorization checkbox items can be provided by a reasonably clueful use

Re:

[quenda]

Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Let's not get cocky. Yes, being able to read the code is good. But the threat is still real, and we need a systematic way to make sure every update is adequately "read".
Supply chain attacks can bite you when you least expect it. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[gweihir]

The thing is, FOSS is not free. It needs to be paid fro by society. It works the same as infrastructure. Well, come tot hink of it, no surprise the US has trouble with the idea.

Re:

[quenda]

The thing is, FOSS is not free.

[sigh] "Free as in speech, not free as in beer" is the common saying.

Re:

[gweihir]

Actually that one would be non-F "OSS". But FOSS is not free either. It just needs to be treated as a common good an many people do not understand ho that works. Also so "Tragedy of the Commons" ...

Re:

[sabbede]

Is that not what they're talking about? Updating the process for doing just that?

Back to security by obscurity

[simlox]

The military have always believed in that. Now a few case of deliberate back doors in open source give them the excuse to go back to that model: Basicly, if they run their own secret software, with secret crypto algorithm, they are safe.

Re:

[zlives]

as long as the boundary is closed.

Re:

[gweihir]

Yep. Only problem is that has stopped working about half a century ago.

including how to leverage AI for software authoriz

[zephvark]

"including how to leverage AI for software authorization"

So, they're not actually serious about software security. You'd never let an "AI" system anywhere near your evaluation chain. They're just looking for cash.

Re:

[zlives]

the memo does not mention AI, but yeah probably a sales job

Re:

[gweihir]

Incompetence or greed? Well, you argue greed and you have a point. But it could be greed and incompetence, after all it is the military. One of the most prolific confirmation organizations for the Dunning-Kruger effect.

the robot dog has already left the stable

[Big Hairy Gorilla]

whataboutism: you're arguably fully dependent on Microsoft services and software...
Look for improvements where there are problems.
aka Fish where there are fish.

Re:

[HiThere]

There ARE problems with several open source projects.
The right way to approach this is to fix them. The wrong way is to depend on something you can't verify.

But don't pretend that FOSS software is perfect. Some of it may be (or close), but much of it isn't. The difference is IT CAN BE FIXED.

Re:

[Big Hairy Gorilla]

no argument here.
I'm just whatabouting, because I think it's valid to say the vast majority of any problems they are experiencing are over in the microsoft domain.
Why a military force would intentionally create a dependency on clearly bloated and bug ridden software for critical functions is a dereliction of duty.
No need to blame open source when you're balls deep with Microsoft.

Here we go again

[drinkypoo]

The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts.

This is the very first step in destroying FOSS. First you cast aspersions on its quality as if closed source software were somehow better.

Re:

[sabbede]

Don't jump to conclusions. If you read the article, there are four separate quotes that may only be linked by how the author ordered them. There is no reason, from just reading the article, to assume that the line you quoted referred to the comment about open-source software. Maybe it did, maybe it didn't, there's missing context.

Re:

[drinkypoo]

If you read the article, there are four separate quotes that may only be linked by how the author ordered them.

If you could read, you would have noted that the article links the memo [defense.gov] which contains... hold on, wait for it... no more than four paragraphs, of which the quotes in the article encompass the first two of them and are presented in order.

You could then also go on to read the part about where he is "directing the development of a Software Fast-Track (SWFT) Initiative" which will "lead the Department's adoption in* best practices" and (among other things) "expedite the cybersecurity authorizations for rapid

Re:

[gweihir]

Naa, others have tried. FOSS is not going to be destroyed. But this will reduce the benefits overall. Obviously a good thing! Cannot have the unwashed masses think they do not need to pay the Microsoft (or Apple) Tax!

Visibility...

[zkiwi34]

What visibility do they have with regards to products from Microsoft, Boeing, any number of proprietary providers? Chances are slim to none.

Re:

[sabbede]

What makes you think they aren't talking about that? Well, the way the quotes are handled in the article implies it but does not say it. There is no necessary implication that the third quote specifically and only refers to the open-source section of the preceding quote. They may well be talking about all software from any source.

Though I'm pretty sure that they do have a code review process for their vendors. And I've seen suggestions that the problem with open-source software is that there is often

Re:

[gweihir]

The problem is that the code review processes for COTS software do not really work. I know several people that are or were involved in those and there is so much work they can only do partial inspection of the most critical parts.

Re:

[sabbede]

3. You're wrong about everything and really didn't know what you were talking about to begin with.

Isolationism

[nicubunu]

Isolationism says is better to buy overpriced proprietary software from your cronies than use open solutions from the evil globalists.

Re:

[sabbede]

That's one way to look at it. Another is - Is it easier for a major client to get product support from Microsoft or the maintainer of a given open-source project? That's a factor. As is having an official representative to handle all the paperwork involved in government contracting. What if the only maintainer with the free time to handle customer support for a project lives in Russia?

It's not a simple matter.

Re:

[gweihir]

Actually, it is much easier to get that FOSS support. Also much cheaper. The way you do it is you provide one or several paid maintainer positions or finance existing maintainers. Well, known, even if only to experts.

Their biggest security issue

[kaizendojo]

..is their Secretary of Defense.