Focus on source code security and collect the latest information at home and abroad!
Column·Supply chain security
In the digital age, software is everywhere. Software, like "virtual humans" in society, has become one of the most basic elements supporting the normal operation of society. Software security issues are also becoming a fundamental and fundamental issue in today's society.
With the rapid development of the software industry, the software supply chain has become increasingly complex and diverse. Complex software supply chains will introduce a series of security issues, making the overall security protection of information systems increasingly difficult. In recent years, security attacks against the software supply chain have been growing rapidly, and the harm caused has become more and more serious.
To this end, we launch the "Supply Chain Security" column. This column collects supply chain security information, analyzes supply chain security risks, provides mitigation suggestions, and protects supply chain security.
Note: Please see the “Recommended Reading” section at the end of this article for some supply chain security-related content published in the past.
On Tuesday, the U.S. Cybersecurity and Infrastructure Agency (CISA) released a new document detailing plans to support the open source software (OSS) ecosystem and protect federal agencies’ secure use of OSS.
CISA pointed out that OSS can be accessed, modified and distributed by anyone, enabling higher quality code and promoting mutual collaboration, but at the same time posing higher risks through wide-reaching vulnerabilities such as Log4Shell.
CISA released the "Open Source Software Security Roadmap" detailing priorities for protecting the OSS ecosystem. By establishing CISA's role, it will promote visibility into OSS usage and risks, reduce risks to federal agencies and strengthen the security of the open source ecosystem. .
CISA mentioned that federal agencies and critical infrastructure organizations rely heavily on OSS. OSS can be found in almost all code bases in various industries. CISA noted, “In line with the National Cyber Strategy’s goal of building a ‘more resilient, fairer, and more resilient cyberspace,’ CISA hopes to build a prosperous future where secure, resilient technologies are the backbone of the world. Promoting technology The foundation upon which significant growth in open source software is built is key to this future."
CISA pointed out that protecting the security of OSS infrastructure is crucial, and it all starts with understanding relevant vulnerabilities and attacks.
Security flaws in OSS can have particularly widespread impacts, and CISA is committed to helping reduce the prevalence of exploitable vulnerabilities and assisting responders. At the same time, CISA calls attention to malicious compromises of OSS components that often lead to downstream compromises.
The roadmap document states that CISA will work with the OSS community to better understand the OSS ecosystem and promote mutual collaboration. At the same time, it will encourage package managers and code hosting services to take measures to strengthen collaboration with international partners and improve their OSS security professional capabilities. , and established an internal open source software security working group at CISA.
CISA is also focused on identifying the most commonly used OSS libraries to support critical functions within federal agencies and critical infrastructure entities. This information will be used to understand risks and prioritize mitigation and risk reduction measures.
To reduce risk to federal agencies, CISA will evaluate solutions to secure OSS use, develop Open Source Program Office (OSPO) best practices guidance, and continue to identify strategies and resources that can help improve OSS security and resiliency.
In addition, CISA will continue to strengthen the security of the broader OSS ecosystem, with a primary focus on the security of critical OSS components used in the federal government and critical infrastructure. It will also broaden SBOM efforts to support security education for OSS developers, publish best practice guidance for the secure use of OSS, and continue to coordinate the disclosure and response of OSS vulnerabilities.
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
Qi'anxin was selected as the representative manufacturer of the global "Software Component Analysis Panorama"
Online reading version: Full text of "2022 China Software Supply Chain Security Analysis Report"
Online reading version: Full text of "2021 China Software Supply Chain Security Analysis Report"
Google Cloud Build vulnerability allows hackers to launch supply chain attacks
A guide for CISOs on software supply chain debt repayment
New supply chain attack exploits abandoned S3 buckets to distribute malicious binaries
Quickly fix this new 0day in MOVEit Transfer!
MOVEit file transfer software 0day used to steal data
MSI UEFI signing key leak could lead to "catastrophic" supply chain attack
OilRig APT group may launch more IT supply chain attacks in the Middle East
GitHub discovers 7 high-risk code execution vulnerabilities in "tar" and npm CLI
Remote code execution flaw in popular NPM package dependencies
Npm malicious package attempts to steal sensitive Discord information and browser files
Find weak links in the software supply chain
GitHub talks about software supply chain security and its importance
Open source software vulnerability security risk analysis
PUMA source code stolen, says customer data not affected
Original link
https://www.securityweek.com/cisa-releases-open-source-software-security-roadmap/
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi'anxin Code Safe (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~