Major Open Source Foundations Form Initiative Aimed at Building CRA-Compliant Security Processes

Some of the largest open source foundations have announced a new initiative aimed at establishing common cybersecurity standards in preparation to meet the requirements of new regulations outlined by the European Union’s Cyber Resilience Act (CRA). These organizations include the PHP Foundation, Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, Python Software Foundation, and the Rust Foundation, working under the leadership of the Eclipse Foundation and following its member-led model.

The announcement communicates the urgency of the need to develop CRA-compliant security processes ahead of when the CRA goes into effect in 2027.

The reasons for this collaboration extend beyond compliance. In an era where software, particularly open source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure by design and robust supply chain security standards well before the new regulation comes into force in 2027.

The CRA requires manufacturers of hardware and software products (PDEs - “products with digital elements”) to implement cybersecurity measures throughout the product's lifecycle. It impacts companies based anywhere in the world that sell software in the EU, regardless of whether the software includes open source components or not.

This new working group will use existing security policies and procedures as the starting point for its technical standardization effort. Although open source communities have traditionally been less detailed in documenting their methods, a global shift towards more regulated cybersecurity measures is forcing these organizations to coalesce around standardizing secure software development practices.

Open Source Community Struggles to Engage with European Standards Organizations#

OSI Standards director Simon Phipps theorizes that the participating foundations are frustrated with the slow progress of discussions with the EU Commission regarding the CRA standards, making it impossible for the open source community to contribute to the creation of those standards. This new initiative may be aimed at creating a set of best practices that meet the spirit of the CRA but are more tailored to the open source development model.

The announcement for the collaborative initiative indicates that the open source community may have been shut out of opportunities to engage with those creating the standards. It identifies several related challenges:

• Traditional standards organizations have had limited interactions with open source communities and the broader software/IT industry. To make matters more complicated, their governance models currently do not provide opportunities for open source communities to engage.
• Open source communities have a limited history of dealing with traditional standards organizations. To make matters more complicated, their resource constraints make it difficult for them to engage.
• Standards setting is typically a long process, and time is of the essence.

Several people commented on Phipps’ theory, noting how similar this new initiative sounds to SLSA (Supply-chain Levels for Software Artifacts), a security framework that includes a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure.

Tidelift co-founder Luis Villa noted that SLSA is a more general security framework, whereas the new initiative is aimed at regulatory compliance:

SLSA was designed from a blank-ish slate (“what would good secure software look like”); this will presumably be designed to meet the specific requirements of the CRA, which have similar goals in theory but probably will end up very different in practice.

(One could also note that SLSA has had ~ zero uptake in practice, because it was designed internally to Google and so is impracticable for most open source projects to implement; one hopes that this will be better.)

One of the other challenges for the new initiative is the necessity for developing cybersecurity standards that can also include requirements for proprietary software and various sizes of organizations from small businesses to large enterprises.

The announcement emphasizes that the reality of modern software development is deeply dependent on open source code:

Today’s global software infrastructure is over 80% open source. The software stack that underpins any product with digital elements is typically built using open source software. As a result, it is fair to say that when we discuss the “software supply chain,” we are primarily, but not exclusively, referring to open source.

The foundations involved in the initiative are aiming to produce specifications that can inform the formal standardization processes of at least one of the European Standards organizations. Code-hosting open source foundations, SMEs, industry players, and researchers are invited to join the collaboration. The organizers anticipate publishing additional details in the next couple months.