The US Cybersecurity and Infrastructure Security Agency (CISA) has Announced new efforts to secure the open source ecosystem, including closer collaboration between regulators and the community.
The cyber agency's commitment came during a two-day summit on open source software (OSS) security, where Director Jen Easterly highlighted the integral role OSS plays in shoring up critical services across the United States. .
During his keynote speech at the Open Source Software Security Summit, Easterly said the organization has increasingly focused on OSS security in recent years in the wake of major security incidents like Log4Shell.
“At CISA we are especially focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software,” he said.
“And while the Log4Shell vulnerability could have been a big wake-up call for many in government, it demonstrated what this community has known and warned for years: Due to its widespread deployment, exploitation of OSS vulnerabilities is becoming more shocking.”
On March 7, CISA announced a series of key actions it is taking to protect the software supply chain, many of which involve providing more practical support to open source developers looking to protect their projects.
In particular, the agency will launch a project to improve collaboration and information sharing between open source developers and infrastructure operators.
The agency will also work closely with package repositories to promote adoption of the Package Repository Security Principles.
Developed by CISA and the Software Repository Security Working Group of the Open Source Security Foundation (OpenSSF), the framework describes voluntary security maturity levels for package repositories.
Five of the most popular package repository operators are taking steps to align with the framework, including Rust Foundation, Python Software Foundation, Packagist and Composer, Maven Central, and npm.
CISA's move is a positive step for open source security
CISA's announcement has been welcomed by industry stakeholders as a positive shift towards a more collaborative joint approach between open source developers and security agencies.
Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group, said open source maintainers have historically been quite diligent about keeping their code secure and up-to-date, but the initiative launched by CISA should help improve things even further.
“The efforts of the open source community, in conjunction with CISA as part of this initiative, are indicative of a broader truth, which is that maintainers and managers of open source projects generally do an effective job of keeping their code secure.” and updated. and of acceptable quality,” he explained.
“There's no doubt that threat actors have taken advantage of the inherent trust we have in open source, so these efforts should go a long way toward preventing supply chain attacks from starting at the development level.” of open source projects”.
However, McGuire cautioned that more needs to be done for companies to ensure they responsibly manage open source assets.
“No matter what is done through these exercises, no commercial application will be more secure if development organizations do not invest more in managing the open source they leverage.”
McGuire explained that the biggest threat to open source security is poor patching practices by organizations that use third-party code.
“When more than 70% of commercial applications have a high-risk open source vulnerability and the average age of all vulnerabilities is 2.8 years, it is clear that the biggest concern is not the open source community but the Organizations fail to keep up. to date with the varied security patch work being done by the community.
