CISA outlines efforts to secure Open Source Software

August 28, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently outlined crucial steps to bolster the security of open-source software (OSS), following a significant two-day summit with key leaders from the OSS community.

One of the major initiatives is the promotion of the Principles for Package Repository Security, a framework that establishes different levels of security maturity for package repositories. This effort is intended to fortify the infrastructure that many custom software developers rely on daily for software development. Additionally, CISA aims to foster collaboration and information sharing with OSS infrastructure operators, enhancing the community's ability to collectively respond to security threats.

In a move to share valuable insights with the broader OSS community, CISA will also release materials from a tabletop exercise conducted during the summit. This exercise was designed to simulate vulnerability and incident scenarios, providing lessons that could help improve the community’s response strategies.

The Rust Foundation, which manages the Rust programming language and its associated repositories, has already taken concrete steps to enhance security. They’ve published a detailed threat model for the Crates.io package repository and have developed tools to detect and counteract malicious activities. Moreover, the foundation is working on implementing Public Key Infrastructure (PKI) for Crates.io and plans to seek public feedback on this initiative. This move is expected to strengthen the security of the Rust ecosystem significantly.

Similarly, the Python Software Foundation (PSF) is making strides to improve the security of Python's package repository, PyPI. The PSF plans to expand its support for credential-less publishing by adding more providers like GitLab, Google Cloud, and ActiveState. Additionally, they are developing an API and tools for reporting and responding to malware incidents, and are on the verge of finalising PEP 740, which will enable digital attestations and metadata signing for Python packages. These advancements will make Python’s repository more resilient against threats and ensure that packages are more trustworthy.

Must read: The hidden costs of pirated software: A cautionary tale for small businesses.

Meanwhile, Packagist and Composer, popular tools in the PHP community, are also enhancing their security measures. Having already implemented vulnerability scanning and protections against unauthorised package takeovers, they are now aligning their practices with the Principles for Package Repository Security framework. They also plan to conduct a comprehensive security audit of their existing codebases to identify and address potential vulnerabilities.

In the Java ecosystem, Maven Central, the largest repository for Java and JVM language packages, is undergoing significant changes. Maintained by Sonatype, Maven Central is transitioning to a new publishing portal that will enhance security, including support for multi-factor authentication. The repository has long supported vulnerability scanning, and further enhancements are planned, such as improved access control, evaluation of trusted publishing practices, and the integration of Sigstore for enhanced security.

Jen Easterly, Director of CISA, emphasised the importance of these efforts, stating: “Open-source software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open-source ecosystem in close partnership with the community”.

These collective efforts underscore the critical importance of securing OSS, which forms the backbone of modern technology infrastructure.