Connect with us

Hi, what are you looking for?


Application Security

CISA Outlines Efforts to Secure Open Source Software

Concluding a two-day OSS security summit, CISA details key actions to help improve open source security.

The US cybersecurity agency CISA has laid out key actions for securing open source software (OSS) following a two-day OSS security summit where it has convened with community leaders.

Steps that CISA will take in partnership with the community include promoting the Principles for Package Repository Security, a framework outlining security maturity levels for package repositories and a new effort to enable collaboration and information sharing with open source software infrastructure operators.

Furthermore, CISA will publish materials from the summit’s tabletop exercise, so that the open source community can use the lessons learned to improve vulnerability and incident response.

The Rust Foundation, which published a threat model for the package repository and built tools for malicious activity hunting, will implement (PDF) Public Key Infrastructure for and plans to request public comment on the matter.

The Python Software Foundation will add more providers to PyPI for credential-less publishing, including GitLab, Google Cloud, and ActiveState. An API and related tools for malware reporting and response are also planned, and PEP 740 (Index support for digital attestations) is almost finalized, enabling digitally signed attestations and metadata for Python package repositories.

After implementing vulnerability database scanning and unauthorized package takeover protections, Packagist and Composer will also work on improving security in line with the Principles for Package Repository Security framework and plan a thorough security audit of existing codebases.

Multi-factor authentication is now required from the maintainers of high-impact npm projects, who also have new tools available to automatically generate provenance and SBOMs, so that consumers can trace and verify dependencies.

Maven Central, the largest repository for Java and JVM language packages, maintained by Sonatype, is transitioning to a new publishing portal that improves repository security and will support multi-factor authentication.

Advertisement. Scroll to continue reading.

Supporting vulnerability scanning for years, the Maven Central plans additional enhancements, including access control on namespaces, Trusted Publishing evaluation, and Sigstore implementation, and will benchmark its security processes against best practices.

“Open source software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come,” CISA director Jen Easterly said.

Related: CISA Releases Open Source Software Security Roadmap

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: Google Contributes $1 Million to Rust, Says It Prevented Hundreds of Android Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...