Skip to main content

The operators of leading open source software (OSS) package repositories, including the Python Software Foundation and the Rust Foundation, have set out the actions they are taking to help better secure and protect the open source software (OSS) ecosystem, underscored by a series of high-profile OSS flaws in the past few years, most notably Log4Shell.

OSS was the subject of a two-day security summit convened by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly in the US this week, which brought together OSS foundations, package repositories, representatives from the wider IT industry, and US government agencies and civil society organisations, to explore new approaches to strengthen OSS security, and conduct tabletop wargame exercises on OSS vulnerability response.

“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

“Open source software is a mission-critical foundation of cyber space,” added Anjana Rajan, assistant national cyber director for technology security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative [OS3I], ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”

Following the conference, CISA has also committed to working closely with package repositories to push take-up of its recently launched Principles for Package Repository Security, co-developed with the Open Source Security Foundation’s (OpenSSF’s) Securing Software Repositories Working Group, and launched a new effort to enable voluntary collaboration and cyber data sharing with OSS infrastructure operators to protect the supply chain.

Some of the initiatives being advanced by OSS package repositories include:

  • The Rust Foundation is currently working to bring in Public Key Infrastructure (PKI) for the Crates.io repository for mirroring and binary signing. It has also published a more detailed threat model for Crates.io, and introduced new tooling to identify malicious activity.
  • The Python Software Foundation is currently on-boarding more providers to PyPI to enable trusted, credential-less publishing, and expanding support from GitHub to include GitLab, Google Cloud and ActiveState. Work to provide an API and other tools to report and mitigate malware, with the goal of increasing PyPI’s ability to respond to the problem quickly and effectively, is also underway. Additionally, the ecosystem is finalising index support for digital attestations, PEP 740, which will enable digitally signed attestations and their verifying metadata to be uploaded to Python package repositories.
  • Packagist and Composer recently brought in vulnerability database scanning and further measures to stop attackers taking over packages without authorisation, and will be undertaking more work in line with the Principles for Package Repository Security framework, and conducting an in-depth audit of existing codebases, later in 2024.
  • Npm, which already requires those who maintain high-impact projects to enrol in multi-factor authentication (MFA) has recently introduced tooling that lets them automatically generate package provenance and software bills of material to enhance users’ ability to trace and verify the provenance of their dependencies.
  • Sonatype’s Maven Central has, since 2021, been automatically scanning staged repositories for vulnerabilities and reporting to their developers. Going forward, it’s launching a publishing portal with enhanced repository security, including support for MFA. Other future initiatives include Sigstore implementation, Trusted Publishing evaluation and access control on namespaces.

Keeping code secure

Mike McGuire, senior software solutions manager at the Synopsys Software Integrity Group, said: “The efforts of the open source community, in concert with CISA as part of this initiative, is indicative of a broader truth, which is that open source project maintainers and stewards generally do an effective job at keeping their code secure, up to date and of acceptable quality.

“There is no doubt that threat actors have been taking advantage of the inherent trust that we have in open source, so these efforts should go a long way in preventing supply chain attacks from starting at the level of open source project development,” he said.

“However, no matter what is done because of these exercises, no commercial application will be made any more secure if development organisations don’t invest more in managing the open source that they leverage,” said McGuire.

“When over 70% of commercial applications have a high-risk open source vulnerability, and the average age of all vulnerabilities is 2.8 years old, it’s clear that the biggest concern is not with the open source community, but with the organisations failing to keep up to date with the varying security patching work that the community is doing,” he said.

Leave a Reply