By Brian Proffitt, VP of Marketing & Publicity, Apache Software Foundation
Planning for the future is an essential part of the human experience, but rarely do we think in terms of the worst-case scenario and what that really means for the people and processes around us. In the world of security, thinking about the unthinkable is all part of the nature of the business. There isn’t the presumption that something may go wrong; instead, it’s what will go wrong and what will the response be?
This isn’t always an easy thing for people to concretely grasp. Even software developers who abstractly understand that a bug in their code may lead to an exploit of some kind in the future, understanding what that actually means in real-world consequences can be elusive, especially in the details.
Getting to the devil in those details is a major advantage for organizations using and contributing to open source software, where the creation process could be removed from their direct control. What does a company do when software developed in an open source community is suddenly involved in breaching that company’s data stores, due to a fault in that software? And how does the project’s community respond?
This is the impetus behind the Cybersecurity & Infrastructure Security Agency’s (CISA’s) Open Source Cyber Tabletop Exercise, an interactive scenario that enables participants to figure out exactly what they would do when the unthinkable happens. For committers in the ASF at the recent Community Over Code event in Denver, it was a chance to see what the ASF would do.
The tabletop exercise (TTX), hosted by the CISA’s Aeva Black and Jordan Petrich, was conducted for 30 ASF committers, members, and officers on day 2 for the conference, to see how the ASF would handle a hypothetical scenario that would affect critical infrastructure in the United States. A scenario that would be predicated on a known fault in software the ASF would be responsible for.
To say this is familiar ground for the ASF would be an understatement. In 2021-2022, the open source supply chain’s security was under scrutiny and our ability to collaborate and innovate quickly was tested, due to the Log4Shell vulnerability detected in October 2021. At that time, the ASF collaborated closely with US government entities, including the White House, Congress, FBI, and others, to encourage a broader understanding of open source software and the role of foundations like the ASF.
The Log4Shell incident, and other security incidents in the open source ecosystem, played more than a little part in CISA’s focus on open source security. In 2023, when announcing the hire of Black as the agency’s Open Source Security Lead, CISA indicated they were “launching a new initiative at CISA to engage with open source community organizations. By fostering security by design and default principles within this dynamic and innovative community, we aim to strengthen the overall security posture of open source software.”
Having Black and Petrich come to the ASF and give the foundation an opportunity to flex the skills that it had learned through its own experiences was almost full circle.
The TTX’s purpose is “to test the effectiveness of cyber incident reporting in support of public-private coordination efforts during a major incident affecting a critical open source project.” Participants in the exercise, divided into groups that distributed group member’s expertise within the ASF, were read new “daily” events from the scenario and given discussion time to respond on how they would react to those events in their roles at the ASF.
Without spoilers, the TTX was eye-opening to say the least. As events that happened over the course of virtual weeks unfolded, TTX participants had to react to not only the foundation’s own software repair and release processes, but also to outside pressures that made a “normal” response rather difficult.
Almost immediately, it became clear that sometimes the normal rules don’t apply and we should not take them for granted. But what also became apparent was that in this fictional scenario, private companies and foundations now have a resource they didn’t have before: the CISA itself.
Beyond providing TTXs like this to demonstrate how and why things could go wrong, the CISA is also present to help coordinate voluntary collaboration and cyber defense information sharing across multiple organizations, even if normal channels begin to break down. That kind of support will prove to be invaluable if and when a critical incident were to occur in the real world.
No one likes to think about the worst thing that can happen. But when guided through such scenarios, organizations can gain knowledge and skill on how to react when the worst does actually happen. In a world where open source software forms the backbone of so much of the world’s digital infrastructure, knowing how to react in the face of the unthinkable is critical.
The post CISA Tabletop Exercise Tests Open Source Security Response Procedures appeared first on The Apache Software Foundation Blog.