CISA Announces Initiative to Fortify Security of Open Source Package Registries

The Cybersecurity and Infrastructure Security Agency (CISA), the U.S.’ lead cyber defense agency, is collaborating with the open source ecosystem on new initiatives to secure the critical infrastructure that powers modern digital life. CISA’s March 5-6 Open Source Software Security Summit included representatives from open source foundations, package repositories, civil society, industry and federal agencies.

CISA Director Jen Easterly delivered the opening remarks, acknowledging the value of OSS to the economy and its potential for exploitation:

A recent Harvard study estimated that open source software has generated over eight trillion dollars in value to our society. That level of impact is astonishing, and the continued growth and successes of this movement are a testament to the underlying logics of open source that inherently promote and reward innovation and collaboration. This would not be possible without your tireless efforts to ensure that open source software is scaled in secure and sustainable ways.

We at CISA are particularly focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software. And while the Log4Shell vulnerability might have been a big wakeup call for many in government, it demonstrated what this community has known and warned about for years: due to its widespread deployment, the exploitation of OSS vulnerabilities becomes more impactful.

CISA is also working towards establishing voluntary collaboration and cyber defense information sharing with OSS communities for the purpose of preventing these types of supply chain attacks.

5 Popular Package Registries Working Towards Improving Security Using New Best Practices Framework#

Package registries were one of the main focuses of the summit, following CISA’s publication of the Principles for Package Repository Security framework in partnership with the Open Source Security Foundation (OpenSSF). This document, which is still being refined, offers a set of best practices recommended for package registries. It includes voluntary security measures and levels of maturity for package repositories, summarized in this list:

• Package repositories should require multi-factor authentication.
• Package repositories should allow security researchers to report vulnerabilities.
• Implement a vulnerability disclosure policy.
• Clearly define the roles and responsibilities of all stakeholders involved in the package repository.
• Establish a software bill of materials (SBOM) for each package.
• Implement a process for reviewing and approving packages before they are added to the repository.
• Regularly scan packages for vulnerabilities.
• Use digital signatures to ensure the integrity of packages.
• Monitor the repository for suspicious activity.

These security measures apply to the registries in different ways, as some do not have user accounts or do builds on behalf of users, for example.

Five of the most widely used package registries have agreed to take steps towards securing their operations, guided by this new 'Principles for Package Repository Security" framework. This includes the following:

• The Rust Foundation
• The Python Software Foundation
• Packagist and Composer
• npm
• Maven Central (maintained by Sonatype)

CISA Director Jen Easterly spoke about the government’s role in supporting OSS security efforts during his opening remarks, stating that CISA does not seek to control or regulate the open source community.

“Instead, our goal is to show up, as a community member, and steer our resources in ways that can help support secure by design open source software development practices and encourage its responsible usage,” Easterly said. “The federal government is one of the biggest users of open source software in the world; it only makes sense that it makes the requisite contributions back to the OSS community.“

This initiative is a positive sign that the US government is recognizing the increasing threats facing software supply chains at the package registry level, and is approaching these registries like a public good. CISA is taking a supportive stance that respects the autonomy and community-driven nature of open source development, rather than imposing regulation. This is crucial for maintaining the collaborative spirit that drives OSS.

“As we know, package repositories are uniquely positioned to improve the overall security posture of open source software in a way that benefits all users,” Easterly said. “At the same time, we recognize that these package repositories are so often resource constrained. My hope is that this summit will help foster discussion on how best to prioritize and support security improvements to this critical component in OSS supply chains.”