This week, the Cyber Security and Infrastructure Security Agency (CISA) held a two-day summit with open source software (OSS) leaders, with the intention of continuing its work to advance OSS security.
During Open Source Software (OSS) Security Summit.CISA has outlined three key actions it will take.
First, it will work with open source maintainers to get them to adopt Principles for Package Repository Securitywhich is a framework outlining maturity levels for package repositories jointly developed by CISA and the Open Source Security Foundation (OpenSSF) Software Repository Assurance Working Group.
Several open source organizations have already agreed to use the framework for at least some of their projects, including the Rust Foundation, the Python Software Foundation, Packagist and Composer, npm, and Maven Central.
“OpenSSF’s mission is to improve the security of open source software. Package repositories are critical infrastructure for the open source community. We thank CISA for facilitating this Open Source Software (OSS) Security Summit to secure package repositories. Through continued collaboration in activities like this summit and the Package Repository Security Principles, we will improve the security of open source package repositories for everyone,” said Omkhar Arasaratnam, Director General of OpenSSF.
Second, CISA is launching a new initiative that will enable better sharing of cyber defense information with open source maintainers.
Third, they will publish the materials from the table-top exercise that was carried out at the summit. This will allow any open source maintainer to use these materials and lessons learned to improve their security.
The Open Source Software (OSS) Security Summit continues CISA’s ongoing efforts to secure the open source supply chain, such as signpost for open source security that was released last fall.
CISA Director Jen Easterly added, “Open source software is the foundation of the critical infrastructure that Americans rely on every day. As the National Coordinator for Critical Infrastructure Security and Resilience, we are proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community and are excited about the work ahead.”