A leading US security agency has released a long-awaited plan detailing how it will enhance open source security for both federal government and across the entire ecosystem.
The US Cybersecurity and Infrastructure Security Agency (CISA) Open Source Software Security Roadmap was published yesterday at the Secure Open Source Summit.
Tackling cyber-risk in open source software is a key priority for the Biden administration, given that 96% of codebases contain open source code, according to one estimate.
CISA warned of two key risks: the “cascading” impact of vulnerabilities in open source components like Log4j, and supply chain attacks on open source repositories, which include attackers seeking to compromise developer accounts and/or slip backdoor malware into packages.
To help mitigate these risks, CISA’s roadmap has four goals over fiscal year 2024-26:
- Establish CISA’s role in supporting more secure open source software
- Enhance visibility into open source usage and risks
- Reduce risks to the federal government
- Harden the open source software ecosystem
The latter goal will include efforts to improve developer education, deliver best practice security guidance, foster greater vulnerability disclosure and response, and encourage greater standardization and take-up of a software bill of materials (SBOM) in supply chains.
“Open source software has fostered tremendous innovation and economic gain, including serving as the foundation for technologies used across our federal government and every critical sector,” said Eric Goldstein, CISA executive assistant director for cybersecurity.
“In part due to this prevalence, we know that vulnerable or malicious open source software can introduce systemic risks to our economy and essential functions. CISA is proud to serve as a partner to the open source community as we collectively take urgent steps to support open source security and ensure that all partners in this critical ecosystem invest in a secure, resilient, and innovative open source future.”