March 8th – CISA intends to bring agencies, industry, regulators and the open source community closer together for the purpose of better securing the open source ecosystem.

The agency announced its commitment to this effort during a two-day summit on open source software (OSS) security, where director Jen Easterly emphasized the role of open source code in critical services, nationwide.

Easterly noted that CISA has ramped up its OSS security focus due to the major cyber security incidents that have unfolded across the past few years, citing Log4Shell as an example.

“We at CISA are particularly focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software,” said Easterly.

CISA & OSS security

CISA is actively undertaking various projects to bolster the security of the software supply chain.

For instance, the agency plans to collaborate with package repositories to promote the adoption of the Principles of Package Repository Security, a framework that outlines voluntary security measures.

While the voluntary aspect of this framework has sparked debates regarding its potential, several popular package repository operators — Rust Foundation, Python Software Foundation, Packagist, Composer, Maven Central and npm — are aligning around it.

Shifting approach

In general, CISAs new initiatives are widely seen as positive beginnings. That said, experts note that more efforts are needed, particularly in relation to ensuring the responsible management of open source-based resources by enterprises.

One of the significant threats to open source security is inadequate patching practices, specifically among organizations that are reliant on third-party code.

Learn more here. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.