The US cybersecurity agency CISA has laid out key actions for securing open source software (OSS) following a two-day OSS security summit where it has convened with community leaders.
Steps that CISA will take in partnership with the community include promoting the Principles for Package Repository Security, a framework outlining security maturity levels for package repositories and a new effort to enable collaboration and information sharing with open source software infrastructure operators.
Furthermore, CISA will publish materials from the summit’s tabletop exercise, so that the open source community can use the lessons learned to improve vulnerability and incident response.
The Rust Foundation, which published a threat model for the Crates.io package repository and built tools for malicious activity hunting, will implement (PDF) Public Key Infrastructure for Crates.io and plans to request public comment on the matter.
The Python Software Foundation will add more providers to PyPI for credential-less publishing, including GitLab, Google Cloud, and ActiveState. An API and related tools for malware reporting and response are also planned, and PEP 740 (Index support for digital attestations) is almost finalized, enabling digitally signed attestations and metadata for Python package repositories.
After implementing vulnerability database scanning and unauthorized package takeover protections, Packagist and Composer will also work on improving security in line with the Principles for Package Repository Security framework and plan a thorough security audit of existing codebases.
Multi-factor authentication is now required from the maintainers of high-impact npm projects, who also have new tools available to automatically generate provenance and SBOMs, so that consumers can trace and verify dependencies.
Maven Central, the largest repository for Java and JVM language packages, maintained by Sonatype, is transitioning to a new publishing portal that improves repository security and will support multi-factor authentication.
Supporting vulnerability scanning for years, the Maven Central plans additional enhancements, including access control on namespaces, Trusted Publishing evaluation, and Sigstore implementation, and will benchmark its security processes against best practices.
“Open source software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come,” CISA director Jen Easterly said.
Related: CISA Releases Open Source Software Security Roadmap
Related: US Government Releases Security Guidance for Open Source Software in OT, ICS
Related: Google Contributes $1 Million to Rust, Says It Prevented Hundreds of Android Vulnerabilities
