3rd Party Risk Management , Governance & Risk Management , Government
How CISA Plans to Measure Trust in Open-Source Software
Agency Is in 2nd Phase of Its Open-Source Software Security Road MapThe United States cyber defense agency is creating a new framework to answer a critical question in cybersecurity: How can the trustworthiness of open-source security projects be accurately measured and transparently communicated?
See Also: 2024 State Of Identity Security in Financial Services
The Cybersecurity and Infrastructure Security Agency is in the second phase of its open-source software security road map, according to a Monday blog post. The road map aims to enhance visibility into OSS use and risks across the federal government.
Measurements to evaluate the trustworthiness of certain OSS components can come from metadata made available from code hosting services and package repositories, according to Aeva Black, CISA's section chief for open-source software security. Black said in the blog post that the agency's latest OSS efforts consist of two parts: "Creating a framework for measuring trust and scaling out its usage."
CISA launched an initiative in March aimed at strengthening the security of open-source software ecosystems, collaborating with the Open Source Security Foundation to develop a set of principles and best practices to enhance the security of online repositories where software packages are stored and maintained. CISA Director Jen Easterly described open-source software as "foundational to the critical infrastructure Americans rely on every day" (see: CISA Launches New Efforts to Secure Open-Source Ecosystem).
The new framework builds on the existing approach and focuses on four dimensions, including the project, the product, protection activities and policies.
The enhanced approach aims to provide transparency into the presence of known vulnerabilities or out-of-date dependencies in OSS projects, as well as the number of active contributors or unexpected changes in account ownership for open-source initiatives. The framework will also explore federal open-source project security specifics such as whether certain initiatives require code review, mandate vulnerability disclosure processes or enforce multifactor authentication.
CISA also announced that it will fund an open-source tool called Hipcheck to help automate the evaluation process for determining OSS trustworthiness. Hipcheck will "combine measurement results into a useful output," according to Black, who said "tooling is necessary to make this process implementable and scalable."
CISA did not immediately return a request for comment on the federal implementation process surrounding open-source security.