Security-by-design is an approach that seeks to build security in products and services from the outset and throughout their lifecycle rather than as an afterthought, while maintaining the capacity to innovate and adapt to an ever-changing threat landscape. Following OECD Recommendations in this area, policy makers encourage its adoption by industry to reduce digital security risk, building on existing methodologies and standards such as the Secure Development Lifecycle. However, it is unclear how OSS projects can implement security-by-design. This session will explore the opportunities and challenges related to security-by-design in OSS.

When it comes to vulnerabilities, both proprietary and open-source software face the same reality: the more complex the code, the more vulnerabilities there are, and despite all efforts to secure the code by design, some vulnerabilities still remain, as explained in recent OECD work. The solution to software vulnerabilities is their detection and resolution, including through vulnerability treatment and co-ordinated vulnerability disclosure (CVD), a collaborative process involving all stakeholders, from security researchers (detection, disclosure) to software editors (vulnerability handling and resolution) and users (patching and vulnerability management). In 2022, the OECD recommended the adoption of public policies to encourage vulnerability treatment. This session will explore the specificities of OSS with respect to vulnerability treatment, and the unique characteristics of its ecosystem.