Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
April 4, 2024
Some of the largest open source foundations have announced a new initiative aimed at establishing common cybersecurity standards in preparation to meet the requirements of new regulations outlined by the European Union’s Cyber Resilience Act (CRA). These organizations include the PHP Foundation, Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, Python Software Foundation, and the Rust Foundation, working under the leadership of the Eclipse Foundation and following its member-led model.
The announcement communicates the urgency of the need to develop CRA-compliant security processes ahead of when the CRA goes into effect in 2027.
The reasons for this collaboration extend beyond compliance. In an era where software, particularly open source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure by design and robust supply chain security standards well before the new regulation comes into force in 2027.
The CRA requires manufacturers of hardware and software products (PDEs - “products with digital elements”) to implement cybersecurity measures throughout the product's lifecycle. It impacts companies based anywhere in the world that sell software in the EU, regardless of whether the software includes open source components or not.
This new working group will use existing security policies and procedures as the starting point for its technical standardization effort. Although open source communities have traditionally been less detailed in documenting their methods, a global shift towards more regulated cybersecurity measures is forcing these organizations to coalesce around standardizing secure software development practices.
OSI Standards director Simon Phipps theorizes that the participating foundations are frustrated with the slow progress of discussions with the EU Commission regarding the CRA standards, making it impossible for the open source community to contribute to the creation of those standards. This new initiative may be aimed at creating a set of best practices that meet the spirit of the CRA but are more tailored to the open source development model.
The announcement for the collaborative initiative indicates that the open source community may have been shut out of opportunities to engage with those creating the standards. It identifies several related challenges:
Several people commented on Phipps’ theory, noting how similar this new initiative sounds to SLSA (Supply-chain Levels for Software Artifacts), a security framework that includes a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure.
Tidelift co-founder Luis Villa noted that SLSA is a more general security framework, whereas the new initiative is aimed at regulatory compliance:
SLSA was designed from a blank-ish slate (“what would good secure software look like”); this will presumably be designed to meet the specific requirements of the CRA, which have similar goals in theory but probably will end up very different in practice.
(One could also note that SLSA has had ~ zero uptake in practice, because it was designed internally to Google and so is impracticable for most open source projects to implement; one hopes that this will be better.)
One of the other challenges for the new initiative is the necessity for developing cybersecurity standards that can also include requirements for proprietary software and various sizes of organizations from small businesses to large enterprises.
The announcement emphasizes that the reality of modern software development is deeply dependent on open source code:
Today’s global software infrastructure is over 80% open source. The software stack that underpins any product with digital elements is typically built using open source software. As a result, it is fair to say that when we discuss the “software supply chain,” we are primarily, but not exclusively, referring to open source.
The foundations involved in the initiative are aiming to produce specifications that can inform the formal standardization processes of at least one of the European Standards organizations. Code-hosting open source foundations, SMEs, industry players, and researchers are invited to join the collaboration. The organizers anticipate publishing additional details in the next couple months.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.