3rd Party Risk Management , Governance & Risk Management , Government

CISA Launches New Efforts to Secure Open-Source Ecosystem

US Cyber Agency Aiming to Promote Information Sharing with Open Source Community
CISA Launches New Efforts to Secure Open-Source Ecosystem
The U.S. government hopes open-source software repositories will become safer places to download libraries. (Image: Getty Images)

The U.S. Cybersecurity and Infrastructure Security Agency is aiming to improve the security posture of open-source software ecosystems with a series of actions designed to promote information sharing and enhanced package repository security.

See Also: Securing the Extended Enterprise – and Keeping Remote Healthcare Contact Centre Agents and Patient Data Safe

The cyber defense agency recently published a framework in partnership with the Open Source Security Foundation that outlines a set of principles and best practices to secure the online repositories where software packages are stored and maintained. CISA also announced Thursday it is launching a voluntary collaboration and cyber defense information-sharing effort with open-source software infrastructure operators "to better protect the open source software supply chain."

In a statement following a two-day open source software security summit held at the agency's Virginia headquarters, CISA Director Jen Easterly described open-source software as being "foundational to the critical infrastructure Americans rely on every day."

Easterly said in her keynote address that package repositories "are uniquely positioned to improve the overall security posture of open-source software," yet often face resource constraints that leave them susceptible to major vulnerabilities.

At least five of the most popular package repositories have committed to taking steps that align with the Principles for Package Repository Security framework, according to CISA. The agency said organizations including the Python Software Foundation are working to develop new tools "for quickly reporting and mitigating malware," while expanding support resources from GitHub to include GitLab, Google Cloud and ActiveState.

Researchers have repeatedly discovered malicious Python packages in PyPI, one of the most widely used repositories for Python libraries. CISA said the Python ecosystem is finalizing index support for digital attestations to help verify packages.

"Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative," Anjana Rajan, assistant national cyber director for technology security, said in a statement.

Underresourced nonprofits and open-source foundations are typically responsible for managing most popular software repositories, and they often struggle to identify and mitigate major exploits. The new initiatives will aim to provide those entities with enhanced federal support, according to Deb Bryant, U.S. policy director of the Open Source Initiative.

"Including less represented, small open-source nonprofits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of open source," Bryant said.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.