3rd Party Risk Management , Governance & Risk Management
CISA Launches New Efforts to Secure Open-Source Ecosystem
US Cyber Agency Aiming to Promote Information Sharing with Open Source CommunityThe U.S. Cybersecurity and Infrastructure Security Agency is aiming to improve the security posture of open-source software ecosystems with a series of actions designed to promote information sharing and enhanced package repository security.
See Also: Live Webinar | All the Ways the Internet is Surveilling You
The cyber defense agency recently published a framework in partnership with the Open Source Security Foundation that outlines a set of principles and best practices to secure the online repositories where software packages are stored and maintained. CISA also announced Thursday it is launching a voluntary collaboration and cyber defense information-sharing effort with open-source software infrastructure operators "to better protect the open source software supply chain."
In a statement following a two-day open source software security summit held at the agency's Virginia headquarters, CISA Director Jen Easterly described open-source software as being "foundational to the critical infrastructure Americans rely on every day."
Easterly said in her keynote address that package repositories "are uniquely positioned to improve the overall security posture of open-source software," yet often face resource constraints that leave them susceptible to major vulnerabilities.
At least five of the most popular package repositories have committed to taking steps that align with the Principles for Package Repository Security framework, according to CISA. The agency said organizations including the Python Software Foundation are working to develop new tools "for quickly reporting and mitigating malware," while expanding support resources from GitHub to include GitLab, Google Cloud and ActiveState.
Researchers have repeatedly discovered malicious Python packages in PyPI, one of the most widely used repositories for Python libraries. CISA said the Python ecosystem is finalizing index support for digital attestations to help verify packages.
"Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative," Anjana Rajan, assistant national cyber director for technology security, said in a statement.
Underresourced nonprofits and open-source foundations are typically responsible for managing most popular software repositories, and they often struggle to identify and mitigate major exploits. The new initiatives will aim to provide those entities with enhanced federal support, according to Deb Bryant, U.S. policy director of the Open Source Initiative.
"Including less represented, small open-source nonprofits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of open source," Bryant said.