Open Source Software Must Start with Secure Code


Jack Cable and Aeva Black, CISA Senior Technical Advisors

At CISA, we’re big fans of open source software. As we close out National Coding Week, we wanted to highlight the importance of open source software and our efforts to help secure it. Open source software, which is software that can be freely used, modified, and distributed by anyone, is used to accelerate development in virtually every field. Moreover, it underpins the software that supports our federal government, critical infrastructure, and organizations internationally.

For many of our cybersecurity tools and services, we develop in the open. Some of our most popular tools include Malcolm, used to analyze network traffic logs, and ScubaGear, used for assessing cloud configuration baselines.

Much like any software, the security of open source software needs to be top of mind. This is especially clear in light of vulnerabilities like Log4shell, which demonstrated just how impactful a vulnerability in a widely-used open source package could be. As we advocate for with Secure by Design, secure coding needs to be incorporated into the development process of open source software. It’s our responsibility as the government, and one of the largest users of open source software in the world, to contribute back to the security of this public good.

Our recently-published roadmap on open source software security lays out CISA’s plan to help secure the open source ecosystem. The roadmap establishes four key goals, including working hand-in-hand with the open source community, understanding open source software prevalence, reducing risks to the federal government, and strengthening the broader open source ecosystem. This includes actions to help accelerate the adoption of memory safe coding, and developing resources to help open source developers understand secure coding.

In government, we need to be good stewards of the open source software we depend on. The Department of Homeland Security recently published its updated Reusable and Open Source Software policy. The policy, in addition to establishing a default-to-open-source policy, encourages contributions from DHS employees and contractors to open source projects that we rely on. By leveraging the DHS workforce and the large amount of software development that is already underway, we can hope to bolster what we depend on.

There are many reasons that individuals choose to contribute to open source software, some personal and some professional. Similarly, there are different types of communities that have formed to support open source software, and the cultural norms vary between these communities. If you’re interested in contributing to open source as an individual, there are great guides out there. [1], [2], [3] Of course, secure coding should be top of mind – there’s plenty of great free resources to get a head start.[4], [5] If you’re a company that uses open source software, you might consider creating an open source program office to track and coordinate your usage of open source software, and to ensure that your developers have time to contribute back to the security and sustainability of open source projects the company depends on. [6]

Want to get involved with government efforts? Along with partners from the White House, the National Science Foundation, and the Defense Advanced Research Projects Agency, we launched a Request for Information on open source software security. Responses are due November 8 – so get them in soon! And of course, contributions to our open source projects are always welcome.

Have questions or feedback on our open source work at CISA? You can contact us at

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial entity. products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.