US President Biden signed an executive order in May 2021 to improve cybersecurity. Now, the U.S. federal Cybersecurity and Infrastructure Security Agency (CISA) is building on this work to develop a new roadmap dedicated to protecting open source software (OSS) .
"CISA recognizes the tremendous benefits of open source software, which enables software developers to work faster and fosters significant innovation and collaboration. With these benefits in mind, this roadmap outlines how CISA will help secure OSS both within and outside the federal government use and development.”
According to the introduction, the roadmap defines two main types of open source vulnerabilities. The first is the knock-on effect of vulnerabilities in widely used open source software. It uses Log4Shell as an example to illustrate the wide-ranging consequences that may occur if open source software is compromised. The second is supply chain attacks against open source repositories, which can lead to downstream negative impacts, such as developers' accounts being compromised and attackers using it to submit malicious code.
The roadmap outlines four key priorities, including: establishing CISA's role in supporting open source software security, driving visibility of open source usage and risks, reducing risk to the federal government, and strengthening the broader open source ecosystem.
According to CISA, this will help achieve its vision for open source software, which is that “every critical OSS project is not only secure, but sustainable and resilient, and supported by healthy, diverse and vibrant community support.”
Dan Lorenc, co-founder and CEO of supply chain security company Chainguard , believes CISA does a good job of segmenting the problems in this area and then prioritizing those issues. They're well aware that the work needs to be done "upstream, with CISA staff engaging directly with communities," though he remains skeptical about how exactly that work will go.
Lorenc suggested that the government make some efforts to actually fund open source projects, but the current roadmap makes no mention of this at all.
"The government doesn't have a great reputation for helping with direct code or other contributions, but they do have the ability to help fund the work already underway to implement many of the projects in the roadmap, such as memory safety, bug fixes, and SBOM tools. But The government cooperation model here cannot adopt a you push, we'll steer approach."
View the full roadmap .