The Cybersecurity and Infrastructure Security Agency (CISA) is embarking on the second phase of its open-source software security road map in an effort to enhance cybersecurity transparency and trust in open-source projects. The agency is addressing a crucial question in cybersecurity: How can the trustworthiness of open-source security projects be accurately measured and transparently communicated?
According to a recent blog post by CISA, the agency is focused on developing a new framework to evaluate the trustworthiness of open-source software components. Aeva Black, CISA’s section chief for open-source software security, explained that the framework will rely on metadata from code hosting services and package repositories to measure the trustworthiness of certain OSS components. The current efforts of CISA include creating a framework for measuring trust and expanding its utilization across the federal government.
Earlier this year, CISA launched an initiative to bolster the security of open-source software ecosystems by collaborating with the Open Source Security Foundation. The goal was to establish principles and best practices to enhance the security of online repositories where software packages are stored and maintained. CISA Director Jen Easterly emphasized the critical role of open-source software in supporting the everyday functioning of vital infrastructure.
The new framework developed by CISA focuses on four key dimensions: the project, the product, protection activities, and policies. By offering transparency into the presence of known vulnerabilities or outdated dependencies in OSS projects, as well as monitoring the number of active contributors and changes in account ownership, the framework aims to improve security across federal open-source initiatives. Additionally, the framework will address specific security requirements such as code review processes, vulnerability disclosure procedures, and multifactor authentication enforcement.
To automate the evaluation process and enhance the trustworthiness of OSS, CISA will fund an open-source tool called Hipcheck. This tool will consolidate measurement results into a user-friendly output, making the evaluation process more practical and scalable. Despite the proactive steps taken by CISA, the agency has not provided details on the federal implementation process for open-source security.
In conclusion, CISA’s ongoing efforts to measure trust in open-source software underscore the agency’s commitment to strengthening cybersecurity and enhancing transparency in the federal government’s use of OSS. By developing a comprehensive framework and supporting innovative tools like Hipcheck, CISA is taking proactive measures to secure critical infrastructure and promote trust in open-source projects.