• TWEAK
• Software

Securing open source software: Who is responsible?

Translate from : Sikring af open source software: Hvem er ansvarlig?

The US government and some of the largest open source foundations and package repositories have announced a number of initiatives to improve security in the software supply chain, while reiterating calls for developers to increase support for such efforts.

On the government side, this includes a voluntary threat intelligence sharing program between the authorities and developers and operators of open source software, which the US Cyber Security and Infrastructure Agency (CISA) will lead.

"We want to help promote real-time collaboration around security incidents," explained CISA Director Jen Easterly in a keynote speech at the agency's Open Source Software Security Summit this week.

Easterly used his speech to announce new public-private partnerships.

“We recognize that working with this community will be a little different than how we typically work with companies, especially with the unique international complexities that come into play due to the global nature of open source,” she noted, adding, “Your participation and feedback will therefore be crucial to ensure this initiative is a success."

In addition to the threat sharing initiative, five major open source software organizations have pledged a number of steps to improve the security of their respective projects.

The Rust Foundation will develop public key infrastructure for the crates.io package repository for mirroring and binary signing. The organization has also published a threat model for crates.io and tools to identify malicious packages.

In addition, the Python Software Foundation will expand its Python Package Index (PyPI) "Trusted Publishing" effort to additional providers beyond GitHub. Trusted Publishing allows PyPI maintainers to verify their identity via the OpenID Connect (OIDC) standard, which uses short-lived identity tokens instead of long-lived credentials to guarantee identity.

When it launched in April 2023, Trusted Publishing supported GitHub. At the summit, the Python Software Foundation revealed that it will soon support GitLab, Google Cloud, and ActiveState.

It is also working on providing an API and associated tools for reporting and handling malware in PyPI. Additionally, it ends index support for digital attestations. This will enable the upload and distribution of digitally signed attestations and the metadata used to verify those attestations on a Python package repository - like PyPI.

Packagist and Composer recently added vulnerability database scanning and other measures to prevent attackers from taking over packages without authorization. The projects' maintainers will also conduct a security review of existing code base structures this year.

Maven Central, the largest open source package repository for Java and JVM languages - maintained by Sonatype - is this year transitioning publishers to a new release portal with better archive security. This includes planned support for multi-factor authentication (MFA).

Sonatype also works with key security including Sigstore implementation, and it evaluates Trusted Publishing (which PyPI currently has), and namespace access control.

And while it's not entirely new, in 2022 NPM - which bills itself as the world's largest software registry - began requiring maintainers of high-impact projects to use MFA. Last year, NPM developed tools that allow maintainers to automatically generate package origins and software materials (SBOMs), which allow anyone using the open source packages to track and verify code dependencies.