jro-grafik - Fotolia

White House aims to secure open source government programs

The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

The U.S. government aims to improve cybersecurity across the board with a new policy to catch bugs in its open source software, but the government was also found to be harboring bugs in other programs for use by law enforcement and intelligence agencies.

The new policy from the White House, called the Federal Source Code policy, extends the open source government data program to custom software developed by or for the federal government.

The main stated goal of the policy is "decreasing duplicative costs for the same code and reducing federal vendor lock-in" but the White House also noted the "collaborative atmosphere can make it easier to conduct software peer review and security testing."

However, security experts may find issues with the policy because it only requires agencies "to release at least 20% of new custom-developed code as open source software for three years." The policy also includes a number of exceptions allowing agencies to avoid these requirements due to identifiable risks to national security, confidentiality of government information or individual privacy; the stability, security or integrity of the agency's systems or personnel; agency mission, programs or operations; or, if the agency "CIO believes it is in the national interest to exempt sharing the source code."

While more open source government code could help kill zero-day vulnerabilities, new research has estimated the size of the zero-day exploit stockpile held by the U.S. government, which has been a point of speculation, to be smaller than many expected.

Jason Healey, a senior research scholar at Columbia University, said at the DEF CON conference in Las Vegas he has "high confidence" that the National Security Agency's (NSA) stockpile only contains "dozens" of zero-days, possibly around 50, and the number of new vulnerabilities purchased each year is in the "single digits." Healey noted it is difficult to maintain a large supply of zero-days because eventually the vulnerabilities will be found and patched.

In 2015, the NSA claimed it disclosed 91% of vulnerabilities to the software vendor, but made no indication what was the total number of vulnerabilities the agency reviewed.

Other news

  • Google and Dashlane have announced a new single sign-in open API called Open YOLO (You Only Login Once), and allow Android apps to access passwords stored in existing password managers. The new API could lead to wider use of secure passwords generated by password managers while keeping the ease of use low for end users.
  • Google is also looking to finish the job of blocking Flash content in its Chrome browser. The company said 90% of Flash content runs "behind the scenes to support things like page analytics" and as of this September, Chrome 52 will block that content. Chrome version 55, releasing Dec. 5th, will make HTML5 default experience except for sites that only support Flash.
  • Less than one week after Apple announced its own bug bounty program with a grand prize of $200,000, Exodus Intelligence announced its Research Sponsorship Program, which will one-up that payment structure with a $500,000 reward for iOS exploits. The program will also offer $125,000 for Microsoft Edge exploits, a huge bump from Microsoft's own $1,500 bounty and Exodus could offer bonuses to researchers every quarter a zero-day remains alive.
  • While the UK government is preparing to vote on the Investigatory Powers Bill, which could threaten encryption and allow the government to collect and store the internet browsing history of citizens, one man has built a non-profit internet service provider based on the anonymous Tor network to avoid these potential new surveillance powers. Gareth Llewelyn's ISP, Brass Horn Communications, would make compliance with the new law technically impossible because unlike traditional ISPs it would not have any way to obtain or store usage logs on customers.

Next Steps

Learn more about the EFF software vulnerability disclosure program.

Find out why government needs open source.

Get info on why HTML5 needs to replace Flash.

Dig Deeper on Government information security management