3rd Party Risk Management , Governance & Risk Management , Government

How CISA Plans to Measure Trust in Open-Source Software

Agency Is in 2nd Phase of Its Open-Source Software Security Road Map
How CISA Plans to Measure Trust in Open-Source Software
CISA launched a comprehensive effort this year to bolster cybersecurity across open-source software ecosystems.

The United States cyber defense agency is creating a new framework to answer a critical question in cybersecurity: How can the trustworthiness of open-source security projects be accurately measured and transparently communicated?

See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The Cybersecurity and Infrastructure Security Agency is in the second phase of its open-source software security road map, according to a Monday blog post. The road map aims to enhance visibility into OSS use and risks across the federal government.

Measurements to evaluate the trustworthiness of certain OSS components can come from metadata made available from code hosting services and package repositories, according to Aeva Black, CISA's section chief for open-source software security. Black said in the blog post that the agency's latest OSS efforts consist of two parts: "Creating a framework for measuring trust and scaling out its usage."

CISA launched an initiative in March aimed at strengthening the security of open-source software ecosystems, collaborating with the Open Source Security Foundation to develop a set of principles and best practices to enhance the security of online repositories where software packages are stored and maintained. CISA Director Jen Easterly described open-source software as "foundational to the critical infrastructure Americans rely on every day" (see: CISA Launches New Efforts to Secure Open-Source Ecosystem).

The new framework builds on the existing approach and focuses on four dimensions, including the project, the product, protection activities and policies.

The enhanced approach aims to provide transparency into the presence of known vulnerabilities or out-of-date dependencies in OSS projects, as well as the number of active contributors or unexpected changes in account ownership for open-source initiatives. The framework will also explore federal open-source project security specifics such as whether certain initiatives require code review, mandate vulnerability disclosure processes or enforce multifactor authentication.

CISA also announced that it will fund an open-source tool called Hipcheck to help automate the evaluation process for determining OSS trustworthiness. Hipcheck will "combine measurement results into a useful output," according to Black, who said "tooling is necessary to make this process implementable and scalable."

CISA did not immediately return a request for comment on the federal implementation process surrounding open-source security.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.