The US Cybersecurity & Infrastructure Security Agency (CISA) has announced new efforts to secure the open source ecosystem, including closer collaboration between regulators and the community.
The pledge by the cyber agency came during a two-day summit on open source software (OSS) security, with director Jen Easterly highlighting the integral role OSS plays in underpinning critical services across the US.
During her opening keynote at the Open Source Software Security Summit, Easterly said the organization has placed an increased focus on OSS security in recent years in the wake of major security incidents like Log4Shell.
“We at CISA are particularly focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software," she said.
“And while the Log4Shell vulnerability might have been a big wakeup call for many in government, it demonstrated what this community has known and warned about for years: due to its widespread deployment, the exploitation of OSS vulnerabilities becomes more impactful.”
On 7 March, CISA announced a number of key actions it is taking aimed at securing the software supply chain, many of which involve providing more hands-on support for open source developers looking to secure their projects.
Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do it
In particular, the agency will launch a project to improve collaboration and information sharing between open source developers and infrastructure operators.
The agency will also work closely with package repositories to promote the adoption of the Principles of Package Repository Security.
Developed by CISA and the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group, the framework outlines voluntary security maturity levels for package repositories.
Five of the most popular package repository operators are taking steps to align themselves with the framework, including the Rust Foundation, Python Software Foundation, Packagist and Composer, Maven Central, and npm.
CISA move is a positive step for open source security
The announcement from CISA has been welcomed by industry stakeholders as a positive shift toward a more collaborative joint approach between open source developers and security agencies.
Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group, said open source maintainers have historically been fairly diligent in keeping their code secure and up to date, but the initiative launched by CISA should help improve things further.
See the different ways businesses can use AI to futureproof their AppSec program
“The efforts of the open source community, in concert with CISA as part of this initiative, is indicative of a broader truth, which is that open source project maintainers and stewards generally do an effective job at keeping their code secure, up to date, and of acceptable quality”, he explained.
“There is no doubt that threat actors have been taking advantage of the inherent trust that we have in open source, so these efforts should go a long way in preventing supply chain attacks from starting at the level of open source project development.”
McGuire did warn that more needs to be done, however, with regard to businesses ensuring they are responsibly managing open source assets.
“No matter what is done because of these exercises, no commercial application will be made any more secure if development organizations don’t invest more in managing the open source that they leverage.”
McGuire explained that the greatest threat to open source security is bad patching practices from organizations using third party code.
“When over 70% of commercial applications have a high-risk open source vulnerability, and the average age of all vulnerabilities is 2.8 years old, it’s clear that the biggest concern is not with the open source community but with the organizations failing to keep up to date with the varying security patching work that the community is doing."
