The Cybersecurity and Infrastructure Security Agency (CISA) has announced a number of key actions that they hope will improve the open source ecosystem.

The actions were announced at a two-day Open Source Software (OSS) Security Summit attended by OSS community leaders. CISA said that it recognizes that OSS "underpins the essential services and functions of modern life", and the aim of the summit was to kick start progress in advancing security of this critical ecosystem. The agency said the urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.

CISA announced several actions that they will take to help secure the open source ecosystem in partnership with the open source community.

The first move is work to foster adoption of the Principles for Package Repository Security. This was developed by CISA and the Open Source Security Foundation's (OpenSSF) Securing Software Repositories Working Group. The framework outlines voluntary security maturity levels for package repositories.

In addition, the materials from the summit's tabletop exercise will be published by CISA for use within the open source community to improve their vulnerability and incident response capabilities.

In more practical terms, five of the most widely used package repositories have also announced changes in line with the Principles for Package Repository Security framework. The Rust Foundation is working on implementing Public Key Infrastructure for the Crates.io package repository for mirroring and binary signing. The foundation has also published a detailed threat model for Crates.io and has created tooling to identify malicious activity.

The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing, and is expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware. Finally, the Python ecosystem is finalizing PEP 740 ("Index support for digital attestations") to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.

Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization, and npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs.

Maven Central is moving publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementation, Trusted Publishing evaluation, and access control on namespaces.

More Information

CISA Website

Related Articles

White House Urges Memory Safe Software

Microsoft Launches Secure Future Initiative

EU Cyber Resilience Act Reduces Python Risk

Introducing OSS Insight

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info