News: 0177355343

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Pentagon Targets Open Source Security Risks in Software Procurement Overhaul (theregister.com)

(Wednesday May 07, 2025 @11:22AM (msmash) from the how-about-that dept.)


The Department of Defense is [1]revamping its "outdated" software procurement systems through a new Software Fast Track initiative. The SWFT program aims to reform how software is acquired, tested, and authorized with security as the primary focus. "Widespread use of open source software, with contributions from developers worldwide, presents a significant and ongoing challenge," DoD CIO Katie Arrington wrote in the initiative memo.

The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts. The initiative will establish verification procedures for software products and expedite authorization processes. Multiple requests for information are running until late May seeking industry input, including how to leverage AI for software authorization and define effective supply chain risk management requirements.

The push comes amid recent DoD security incidents, from malware campaigns targeting procurement systems to sensitive information leaks.



[1] https://www.theregister.com/2025/05/06/us_dod_software_procurement/


Paying back the bribes (Score:5, Insightful)

by greytree ( 7124971 )

Bribers gotta get paid.

Ermahgerd! Erhpin Serhss! (Score:4, Insightful)

by Anonymous Coward

> The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts.

Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Sensible vs reality (Score:5, Insightful)

by DrYak ( 748999 )

> Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Yup.

The sensible things to do:

Contribute -- both financially and by having coders on your own payroll -- to LTS versions of opensource projects, that you audit for security and contribute back to the development.

The whole planet would benefit from these improvements.

What they are actually going to do:

Microsoft is going pay some bribes to make sure that their latest crap -- huh, sorry, Microsoft Copilot 365 Crap ME (Military Edition) -- is the official "tested and authorized" software.

A few rich guys will get richer.

Re: (Score:2)

by drinkypoo ( 153816 )

> The whole planet would benefit from these improvements.

That's exactly why they won't do it. Anything that benefits others is bad in their opinion, even if it benefits them too and ultimately leads to others doing things that benefit them even more. A rising tide lifts all ships, and that's a terrible thing to a corporatist.

Re: (Score:1)

by sabbede ( 2678435 )

Well, no, that wouldn't be a terrible thing to a corporatist, but then you're not using that term correctly. It does not refer to corporations, it refers to the entirely unrelated term "corporatism". A corporatist would see that as part of the process of negotiating a "best for everyone" outcome. At least in theory. In practice corporatism has usually been more about State command of industrial sectors.

Re: (Score:2, Flamebait)

by Entrope ( 68843 )

> Or they could... Perhaps... Read the code?!

That's exactly what TFS says they are doing:

> he initiative will establish verification procedures for software products and expedite authorization processes.

Between clearly malicious things like the xzutils back door and apparently unintended faults like Apple's "goto fail", there are legitimate security concerns. Contracts for software development or purchase/licensing can include terms that reduce the risk of those mistakes, but using open source code directly doesn't have a contractor who can accept those terms.

Re: (Score:2)

by quenda ( 644621 )

> Or they could... Perhaps... Read the code?! After all, it's Open Source. It's kinda the point.

Let's not get cocky. Yes, being able to read the code is good. But the threat is still real, and we need a systematic way to make sure every update is adequately "read".

Supply chain attacks can bite you when you least expect it. [1]https://en.wikipedia.org/wiki/... [wikipedia.org]

[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

Re: (Score:1)

by sabbede ( 2678435 )

Is that not what they're talking about? Updating the process for doing just that?

Back to security by obscurity (Score:5, Interesting)

by simlox ( 6576120 )

The military have always believed in that. Now a few case of deliberate back doors in open source give them the excuse to go back to that model: Basicly, if they run their own secret software, with secret crypto algorithm, they are safe.

including how to leverage AI for software authoriz (Score:5, Insightful)

by zephvark ( 1812804 )

"including how to leverage AI for software authorization"

So, they're not actually serious about software security. You'd never let an "AI" system anywhere near your evaluation chain. They're just looking for cash.

the robot dog has already left the stable (Score:2)

by Big Hairy Gorilla ( 9839972 )

whataboutism: you're arguably fully dependent on Microsoft services and software...

Look for improvements where there are problems.

aka Fish where there are fish.

Re: (Score:2)

by HiThere ( 15173 )

There ARE problems with several open source projects.

The right way to approach this is to fix them. The wrong way is to depend on something you can't verify.

But don't pretend that FOSS software is perfect. Some of it may be (or close), but much of it isn't. The difference is IT CAN BE FIXED.

Re: (Score:2)

by Big Hairy Gorilla ( 9839972 )

no argument here.

I'm just whatabouting, because I think it's valid to say the vast majority of any problems they are experiencing are over in the microsoft domain.

Why a military force would intentionally create a dependency on clearly bloated and bug ridden software for critical functions is a dereliction of duty.

No need to blame open source when you're balls deep with Microsoft.

Here we go again (Score:4, Insightful)

by drinkypoo ( 153816 )

> The DoD currently "lacks visibility into the origins and security of software code," hampering security assurance efforts.

This is the very first step in destroying FOSS. First you cast aspersions on its quality as if closed source software were somehow better.

Re: (Score:1)

by sabbede ( 2678435 )

Don't jump to conclusions. If you read the article, there are four separate quotes that may only be linked by how the author ordered them. There is no reason, from just reading the article, to assume that the line you quoted referred to the comment about open-source software. Maybe it did, maybe it didn't, there's missing context.

Visibility... (Score:3)

by zkiwi34 ( 974563 )

What visibility do they have with regards to products from Microsoft, Boeing, any number of proprietary providers? Chances are slim to none.

Re: (Score:1)

by sabbede ( 2678435 )

What makes you think they aren't talking about that? Well, the way the quotes are handled in the article implies it but does not say it. There is no necessary implication that the third quote specifically and only refers to the open-source section of the preceding quote. They may well be talking about all software from any source.

Though I'm pretty sure that they do have a code review process for their vendors. And I've seen suggestions that the problem with open-source software is that there is often

Isolationism (Score:4, Insightful)

by nicubunu ( 242346 )

Isolationism says is better to buy overpriced proprietary software from your cronies than use open solutions from the evil globalists.

Their biggest security issue (Score:4, Informative)

by kaizendojo ( 956951 )

..is their Secretary of Defense.

Q: What's hard going in and soft and sticky coming out?
A: Chewing gum.