The OpenSSF is releasing a new framework that can be used to assess the security capabilities of package repositories and help plan for future improvements.
Called the Principles for Package Repository Security, the framework was a collaborative effort between OpenSSF’s Security Software Repositories Working Group and CISA. CISA published the Open Source Software Security Roadmap last year, and one of its focus areas was package manager security.
This framework defines four levels of security maturity across four feature categories. Categories include authentication, authorization, general capabilities, and command-line interface tooling.
According to the OpenSSF, package repositories are a critical point in the open source ecosystem for either allowing or preventing attacks. Simple actions like well documented account recovery policies can have a significant improvement on security.
At the same time, however, these improvements need to be balanced with the resource constraints that many package repositories have, especially considering that many are maintained by nonprofit organizations, OpenSSF explained.
“Through the framework, we hope to accelerate the pace at which package repositories can drive high-impact security improvements within their products,” Jack Cable, senior technical advisor at CISA and Zach Steindler, principal engineer at GitHub, wrote in a blog post.