The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published a new document detailing its plan to support the open source software (OSS) ecosystem and to secure the use of OSS by federal agencies.
According to the agency, OSS, which can be accessed, modified, and distributed by anyone, can drive higher-quality code and foster collaboration, but also poses high risks through wide-impact vulnerabilities, such as Log4Shell.
CISA’s Open Source Software Security Roadmap (PDF) details priorities in securing the OSS ecosystem, by establishing the agency’s role in this endeavor, driving visibility into the use and risks of open source software, reducing risks to federal agencies, and hardening the ecosystem.
Federal agencies and critical infrastructure organizations, CISA notes, greatly depend on OSS, which can be found in nearly all studied codebases across various sectors, according to a recent Synopsis report.
“Aligning with the National Cybersecurity Strategy’s goal of a ‘more resilient, equitable, and defensible cyberspace’, CISA envisions a prosperous future where secure, resilient technology is the backbone of our world. Open source software, fostering significant growth as part of the foundation on which technology is built, is key to this future,” CISA notes.
According to the agency, it is essential to secure the OSS infrastructure, which starts by understanding the relevant vulnerabilities and attacks.
Security flaws in OSS have particularly widespread consequences and CISA is determined to help reduce the prevalence of exploitable bugs and aid responders. At the same time, CISA draws attention towards the malicious compromise of OSS components, which typically leads to downstream compromise.
As detailed in the roadmap document, CISA will engage with the OSS community to better understand the ecosystem and drive collaboration, but will also encourage package managers and code hosting services to take action, will engage with international partners, and will increase its OSS security expertise, while establishing an internal CISA Open Source Software Security Working Group.
The agency is also focused on identifying the OSS libraries most used in support of critical functions within federal agencies and critical infrastructure entities, and will use the information to understand risks and prioritize mitigation and risk reduction efforts.
To reduce risks to federal agencies, CISA will evaluate solutions to secure OSS usage, will develop an open source program office (OSPO) best practice guidance, and will continue work on identifying policies and resources that can help improve OSS security and resilience.
Additionally, CISA will work on hardening the broader OSS ecosystem, mainly focusing on the security of critical OSS components used within the federal government and critical infrastructure. It will also broaden its SBOM work, will support security education for OSS developers, will publish OSS security usage best practices guidance, and will continue to coordinate vulnerability disclosure and response for OSS flaws.
Related: CISA Releases Guidance on Adopting DDoS Mitigations
Related: CISA Hires ‘Mudge’ to Work on Security-by-Design Principles
Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation
