The operators of leading open source software (OSS) package repositories, including the Python Software Foundation and the Rust Foundation, have laid out actions they are taking to help better secure and protect the open source software (OSS) ecosystem, highlighted by a series of high-profile OSS flaws in recent years. several years, most notably Log4Shell.
OSS was the topic of a two-day security summit convened this week in the US by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, which brought together OSS foundations, package repositories, representatives of the wider IT industry and US government agencies and civil society organizations, to explore new approaches to strengthening OSS security and conduct table-top warfare exercises in response to OSS vulnerabilities.
“Open source software is the foundation of critical infrastructure that Americans rely on every day,” Easterly said. “As the National Coordinator for Critical Infrastructure Security and Resilience, we are proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community and are excited about the work ahead.”
“Open source software is a critical foundation of cyberspace,” added Anjana Rajan, assistant national cyber director for technology security. “Ensuring we have a secure and resilient open source software ecosystem is a national security imperative, a driver of technological innovation, and an embodiment of our democratic values. As president of the Open Source Software Security Initiative [OS3I]ONCD is committed to making this a priority of the Biden-Harris administration and commends CISA’s leadership in convening this important forum.”
Following the conference, CISA also committed to working closely with package repositories to encourage adoption of its recently launched Package Repository Security Principles, developed together with the Open Source Security Foundation’s (OpenSSF) Software Repository Assurance Working Group, and launch a new effort to enable voluntary cooperation and cyber data sharing with OSS infrastructure operators to protect the supply chain.
Some of the initiatives driven by OSS package repositories include:
- The Rust Foundation is currently working on rolling out a public key infrastructure (PKI) for the Crates.io repository for mirroring and binary signing. It also released a more detailed threat model for Crates.io and introduced a new tool to identify malicious activity.
- The Python Software Foundation is currently including multiple providers in PyPI to enable trusted, credential-less publishing and extend support from GitHub to GitLab, Google Cloud, and ActiveState. Work to provide APIs and other tools for reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond quickly and effectively to a problem, is also ongoing. Additionally, the ecosystem completes support for the Digital Certificates Index, PEP 740, which will allow uploading digitally signed certificates and their metadata for verification to Python package repositories.
- Packagist and Composer have recently introduced vulnerability database scans and further measures to stop attackers from unauthorized downloads of packages, and will later undertake more work in line with the Package Repository Security Framework principles and conducting a deep audit of existing codebases in 2024.
- Npm, which already requires those maintaining high-impact projects to enroll in multi-factor authentication (MFA), recently introduced a tool that allows them to automatically generate package origins and bill of materials to improve users’ ability to track and verify the origin of their addictions.
- Starting in 2021, Sonatype’s Maven Central automatically scans staging repositories for vulnerabilities and reports them to developers. In the future, it runs a publishing portal with improved repository security, including MFA support. Other future initiatives include implementing Sigstore, evaluating trusted publishing, and namespace access control.
Maintaining secure code
Mike McGuire, senior manager of software solutions at Synopsys Software Integrity Group, said: “The efforts of the open source community, in collaboration with CISA as part of this initiative, are indicative of a larger truth, which is that open source project maintainers and managers in general they do an effective job of keeping their code secure, up-to-date, and of acceptable quality.
“There’s no doubt that threat actors are exploiting the inherent trust we have in open source, so these efforts should go a long way in preventing supply chain attacks from starting at the development level of an open source project,” he said. .
“However, no matter what is done about these exercises, no commercial application will be more secure unless development organizations invest more in managing the open source they use,” McGuire said.
“When more than 70% of commercial applications have a high-risk open source vulnerability, and the average age of all vulnerabilities is 2.8 years, it’s clear that the biggest concern is not the open source community, but organizations that fail to keep up with the various security patching jobs that the community performs,” he said.