Bulgaria Follows USA In Supporting Open Source

Bulgaria follows USA in supporting open source

Last March, the White House released a draft policy for requiring federal agencies to share software, with the possibility of requiring federally-funded code to be released as open source. Last month, the Bulgarian government followed suit, and raised the ante by including a bug bounty program in the legislation. Add to this efforts in the UK, India and New Zealand and you can see a trend starting.

Bulgarian Government Mandate

There are obvious security concerns around releasing software used by governments for critical activities. I, for one, don’t really want the code for critical infrastructure and defense under a blanket open source mandate, and Bulgaria has exempted their intelligence agencies from the mandate. Further, they need to be mindful of systems managing the personal information of employees and taxpayers. However, it seems obvious that much of the software managing non-critical data could be useful, in whole or in part, for use by the private sector. If managed properly, the legislation makes sense for a number of reasons.

More open source

Development teams are embracing open source for a good reason. It accelerates development while lowering (not eliminating) costs. The more open source available, the more we all benefit. Assuming the code covered under these policies has genuine utility, it will attract attention from the open source community. Independent developers will build enhancements that will be available to both public and private enterprises.

More eyes

I’m not arguing for the “many eyes make all bugs shallow” in general. Security eyes are undoubtedly useful, however, and the source of virtually all open source vulnerability disclosures in NVD. Bulgaria has addressed this, however, with their bug bounty program. By paying security researchers (and others) for bugs, they are encouraging responsible disclosure.

More transparency 

Understanding what is being “custom built” can shed light on inside deals where commercial solutions may already exist. Bulgaria is taking this a step further in that all contracts for custom software will be available online for public review.

More efficiency

Taxpayer funds were used to create the code, and making that code available to other federal agencies can reduce waste. Assuming the software meets the needs of several agencies, maintaining a single code base should simplify code maintenance as well.

More innovation

NASA pioneered efforts to make public technologies they developed in the space program. Technologies such as anti-icing systems, Infrared Ear Thermometers, firefighting gear, and memory foam mattresses have resulted from shared technology. In a world where software integrates into almost everything, access to the government’s building blocks should spur more advances.

I’ll reiterate that these programs must be managed carefully from a security standpoint. But overall, open sourcing software from some of the largest consumers of custom code can help us all.

The State of Open Source Security

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Vulnerability Management and Triage in 3 Steps

| Mar 23, 2017

Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what's

| MORE >

CVE-2017-2636 Strikes Linux Kernel with Double Free Vulnerability

| Mar 20, 2017

We often talk about how open source is not less secure (or more secure) than commercial software. For one thing,commercial software contains so much open source that it’s difficult to find anything that doesn’t include open source. There are, however, characteristics of open source that make it

| MORE >

Critical Vulnerability CVE-2017-5638 Attacks Escalating

| Mar 10, 2017

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it

| MORE >