CISA announces open source initiatives

On March 6, the Cybersecurity and Infrastructure Security Agency (CISA) concluded a two-day Open Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.

CISA Director Jen Easterly opened the summit with keynote remarks and was followed by a panel discussion with Office of National Cyber Director (ONCD) Assistant National Cyber Director for Technology Security Anjana Rajan, CISA Open Source Security Section Chief Aeva Black, and CISA Senior Technical Advisor Jack Cable. The summit also featured a tabletop exercise on open source vulnerability response and a roundtable discussion on package manager security.

During the summit, OSS community leaders, including open source foundations, package repositories, civil society, industry and federal agencies explored approaches to help strengthen the security of the open source infrastructure we all rely upon. As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open source ecosystem in partnership with the open source community:

  • CISA is working closely with package repositories to foster adoption of the Principles for Package Repository Security Developed by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, this framework was published recently and outlines voluntary security maturity levels for package repositories.
  • CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
  • Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open source community to improve their vulnerability and incident response capabilities.

Additionally, five of the most widely used package repositories are taking steps in line with the Principles for Package Repository Security framework:

  • The Rust Foundation is working on implementing Public Key Infrastructure for the package repository for mirroring and binary signing and plans to issue a Request for Comment. The Rust Foundation also published a detailed threat model for and has created tooling to identify malicious activity.
  • The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing (“Trusted Publishing”), expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond to malware in a timely manner without consuming significant resources. Finally, the Python ecosystem is finalizing PEP 740 (“Index support for digital attestations”) to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.
  • Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization. Further work to increase security in line with the Principles for Package Repository Security framework is in progress, and a thorough security audit of existing codebases will take place this year.
  • The package repository npm requires maintainers of high-impact projects to enroll in multifactor authentication. Additionally, npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs, giving consumers of those open source packages the ability to trace and verify the provenance of dependencies.
  • Maven Central (maintained by Sonatype) is the largest open source repository for Java and JVM languages, and enforces validation and metadata requirements with clear namespaces. Since 2021, all staged repositories have automatically been scanned for vulnerabilities when published, and developers receive a report with any security issues. In 2024, Maven Central is transitioning publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementation, Trusted Publishing evaluation, and access control on namespaces. This includes Maven Central benchmarking the maturity of its security processes against best practices, which will also guide backlog prioritization.

“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

“Open source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” said Anjana Rajan, assistant national cyber director for technology security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”

Source: CISA

Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.