Connect with us

Hi, what are you looking for?


Application Security

CISA Releases Open Source Software Security Roadmap

CISA details its plan to support the open source software ecosystem and secure the use of open source software within the federal government.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published a new document detailing its plan to support the open source software (OSS) ecosystem and to secure the use of OSS by federal agencies.

According to the agency, OSS, which can be accessed, modified, and distributed by anyone, can drive higher-quality code and foster collaboration, but also poses high risks through wide-impact vulnerabilities, such as Log4Shell.

CISA’s Open Source Software Security Roadmap (PDF) details priorities in securing the OSS ecosystem, by establishing the agency’s role in this endeavor, driving visibility into the use and risks of open source software, reducing risks to federal agencies, and hardening the ecosystem.

Federal agencies and critical infrastructure organizations, CISA notes, greatly depend on OSS, which can be found in nearly all studied codebases across various sectors, according to a recent Synopsis report.

“Aligning with the National Cybersecurity Strategy’s goal of a ‘more resilient, equitable, and defensible cyberspace’, CISA envisions a prosperous future where secure, resilient technology is the backbone of our world. Open source software, fostering significant growth as part of the foundation on which technology is built, is key to this future,” CISA notes.

According to the agency, it is essential to secure the OSS infrastructure, which starts by understanding the relevant vulnerabilities and attacks.

Security flaws in OSS have particularly widespread consequences and CISA is determined to help reduce the prevalence of exploitable bugs and aid responders. At the same time, CISA draws attention towards the malicious compromise of OSS components, which typically leads to downstream compromise.

Advertisement. Scroll to continue reading.

As detailed in the roadmap document, CISA will engage with the OSS community to better understand the ecosystem and drive collaboration, but will also encourage package managers and code hosting services to take action, will engage with international partners, and will increase its OSS security expertise, while establishing an internal CISA Open Source Software Security Working Group.

The agency is also focused on identifying the OSS libraries most used in support of critical functions within federal agencies and critical infrastructure entities, and will use the information to understand risks and prioritize mitigation and risk reduction efforts.

To reduce risks to federal agencies, CISA will evaluate solutions to secure OSS usage, will develop an open source program office (OSPO) best practice guidance, and will continue work on identifying policies and resources that can help improve OSS security and resilience.

Additionally, CISA will work on hardening the broader OSS ecosystem, mainly focusing on the security of critical OSS components used within the federal government and critical infrastructure. It will also broaden its SBOM work, will support security education for OSS developers, will publish OSS security usage best practices guidance, and will continue to coordinate vulnerability disclosure and response for OSS flaws.

Related: CISA Releases Guidance on Adopting DDoS Mitigations

Related: CISA Hires ‘Mudge’ to Work on Security-by-Design Principles

Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.