Continued Progress Towards a Secure Open Source Ecosystem
In March of this year, CISA accelerated our work to secure open source software (OSS) by holding our first Open Source Software Security Summit. The event gathered OSS leaders from across the community to learn from one another and to participate in a tabletop exercise centered on a joint response to a hypothetical vulnerability in critical OSS. We heard and announced a lot of good work that's being done across the community and emphasized our approach as a facilitator for this important effort. A synchronized approach across the board will help drive security improvements and we have been busy in the months since that event to guide progress and document lessons learned.
Driving visibility
CISA’s latest efforts focus on Goal 2 of CISA’s Open Source Software Security Roadmap to “Drive Visibility into OSS Usage and Risks”. Achieving this goal will enable CISA and our partners across the federal government and critical infrastructure to manage cybersecurity risks more effectively and efficiently in the OSS that their missions substantially depend upon.
The task of assessing the trustworthiness of OSS that is in use, or that is being considered for use, is more complex for OSS than for proprietary software, because there is, generally speaking, no direct relationship between the authors of software and those who use that software. Whereas commercial software procurement creates a relationship between a purchaser and a supplier, in which the purchaser can ask for certain assurances of secure software development, the direct usage of OSS does not create a purchaser-supplier relationship. Even when mature open source software projects publish software bills of material or other artifacts of secure software development practices, it is the responsibility of those who use the project to perform the necessary diligence to continually assess each open source project, as discussed in CISA and partners’ Recommended Practices for Managing Open Source Software guidance.
This effort to assess trustworthiness of OSS consists of two parts: creating a framework for measuring trust and scaling out its usage.
Creating the Framework
The first task is to create a generally applicable framework for assessing the trustworthiness of any given OSS component. To do so, CISA is building upon an existing approach to evaluate the process by which OSS is developed across four dimensions: the project, the product, protection activities, and policies. Example measures within each category could include:
- For the project: the number of active contributors, or unexpected changes in account ownership
- For the product: the presence of known vulnerabilities or out-of-date dependencies
- For protections: whether the project requires two-factor authentication on developer accounts
- For policies: whether the project requires code review, or has a responsible vulnerability disclosure process
Measurements can be taken from a variety of data sources, including public data about OSS components such as metadata made available by package repositories and code hosting services. Taken together, the collected measurements can be grouped into these four categories to provide software users and choosers a consistent way to evaluate the trustworthiness of a particular OSS component.
Scaling Usage of the Framework
The second part of the effort is to automate the process of comparing components against the framework, while accounting for the subjectivity of each observer. While each software chooser could conceivably perform this evaluation manually, based on their unique evaluation criteria and operational requirements, tooling is necessary to make this process implementable and scalable. To make this possible, CISA is funding the development of Hipcheck, an open source tool to automate these measurements and to combine measurement results into a useful output.
Leading collaboration and commitment
As work on both the framework and supporting tools continue to progress, we will improve our capability to assess OSS trustworthiness at scale, which in turn will benefit federal agencies, critical infrastructure, and the American public at large. We look forward to bringing members of the cybersecurity and open source communities together in the process of refining this work, so that it will have the largest possible impact.
We believe that a thriving open source ecosystem is a strong defense against a divided world—digital or otherwise. For all the benefits that collaborative development of OSS creates for society, there are those who seek to take advantage of these systems for nefarious purposes.
By committing to the principles of transparent and collaborative development of open source software, and prioritizing security considerations early and often, it will be substantially more difficult for malicious actors to succeed in exploiting OSS for nefarious purposes. It is by intentionally and proactively prioritizing security principles—like those espoused by the Secure by Design campaign—that actors will have a harder time creating exploitable divides in the first place.
If you would like to help, please send us an email at: OpenSource@cisa.dhs.gov.
For more on our work on OSS Security, visit cisa.gov/oss.