CISA releases roadmap for securing open-source software

Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an executive order to improve cybersecurity, and since then it has made progress in providing guidance to companies on how to actually meet these cybersecurity goals. 

Now the U.S. federal Cybersecurity & Infrastructure Security Agency (CISA) is building on that work with a new roadmap specifically for securing open-source software (OSS). 

“CISA recognizes the immense benefits of open source software, which enables software developers to work at an accelerated pace and fosters significant innovation and collaboration. With these benefits in mind, this roadmap lays out how CISA will help enable the secure usage and development of OSS, both within and outside the federal government,” CISA wrote in the document for the roadmap. 

The roadmap defines two major types of open-source vulnerabilities. The first is the cascading effects of vulnerabilities for widely used open-source software. It cited Log4Shell as an example of the widespread consequences that could result from open-source software being compromised. 

The second is supply chain attacks on open-source repositories, which could result in negative downstream impacts, such as a developer’s account being compromised and an attacker using it to commit malicious code. 

The roadmap lists four key priorities: establishing its own role in supporting security of open source, driving visibility into usage and risks of open source, reducing risks to the federal government, and hardening the open-source ecosystem. 

According to CISA, this will all help it achieve its vision for open-source software, which is one in which “every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community.”

Dan Lorenc, co-founder and CEO of supply chain security company Chainguard, feels that CISA has done a good job in segmenting the problems in this field and then prioritizing work to address them. 

He also said they did a good job at recognizing that the work needs to “happen upstream, and CISA employees will need to engage directly with communities,” though he said he still remains skeptical on how that will actually go, but is trying to stay optimistic. 

Lorenc recommends the government put some efforts into actually funding open-source projects, which the roadmap currently doesn’t address at all. 

“The government doesn’t have a great reputation for helping out with direct code or other contributions, but they do have the ability to help fund work already being done to achieve many of these roadmap items, such as memory safety, vulnerability remediation and SBOM tooling,” Lorenc told SD Times. “The government collaboration model here can’t be ‘you push, we’ll steer.”