Peter Girnus

View Original

Breaking Down CISA's Open Source Software Security Roadmap

Peter Girnus

Introduction

Today, we're diving into a recent publication titled Open Source Software Security Roadmap by the Cybersecurity and Infrastructure Security Agency's (CISA). We’ll be breaking down this publication into bite-sized, easy-to-digest pieces. So strap-in and enjoy the ride as we learn how CISA is trying to impact the chaotic world of open source software security.

What is Open Source Software (OSS)?

First things first, let's talk about OSS. It's software for which the source code is publicly available, meaning anyone can see, use, modify, and share it. OSS is everywhere, powering everything from your smartphone apps to critical infrastructure systems such as nuclear reactors and power-grids.

Why Does CISA Care About Open Source Software (OSS) Security?

CISA, responsible for safeguarding the federal government and critical infrastructure, knows that we rely heavily on OSS. A whopping 96% of codebases across various sectors contain open source code, impacting every government and private sector organization. In order to protect the larger community as well as national security interests CISA has endeavored to increase it’s understanding of OSS in order to protect, improve, and secure the OSS we all depend on. CISA’s recognizes the shared responsibility between developers, organizations, and consumers to answer questions such as “how to increase open source security?” and seeks to foster and facilitate trust, community, collaboration between these key players.

Threats & Risk To Open Source Software (OSS)

CISA understands that to keep open source software (OSS) secure, you need to know what unique threats this ecosystem faces. CISA has identified two big categories of risk to open source software:

Cascading Effects of Vulnerabilities in Widely Used OSS

Think of this like a ripple effect. If there's a vulnerability in OSS that's widely used, it can cause massive global problems due to it’s prevalence. Just like we saw with the Log4Shell (CVE-2021-44228, CVE-2021-45046, & CVE-2021-45105) issues, OSS is so common that a vulnerability can have a massive, widespread impact. This impact makes OSS a juicy target for threat actors of all stripes. The consequences of open source compromise can have far reaching and devastating affects. CISA wants to reduce these risks, vulnerabilities, and help in responding when a vulnerability occurs.

Supply-Chain Attacks on OSS Repositories

Imagine someone sneaking poison into your favorite recipe and serving it to you and your family. That's what supply-chain attacks are like in OSS. Open source is not inherently less secure than closed source or bad for security, there are however unique risks risks involved in open source software. Some risks include bad actors can compromise OSS components, and it affects the software that depends on them. This can be done by hacking a developer's account, pushing malicious commits in codebases, secretly adding harmful stuff to an package such as backdoors, etc. Real-world examples include sneaky things like hiding cryptominers, deleting user files, or tricking developers with typosquatting attacks.

Four Key Goals of CISA's Roadmap

In order to help facilitate a more safe OSS ecosystem the CISA roadmap centers around four main goals:

Goal 1 - CISA's Role in Supporting OSS Security

CISA aims to team up and foster a relationship with the OSS community to build a secure OSS ecosystem. They'll be partnering with OSS communities, forming channels of collaboration, and contributing to enhance security.

Goal 2 - Drive Visibility into OSS Usage & Risks

To better understand OSS dependencies, CISA plans to identify the most crucial libraries used across the government and it’s infrastructure. This helps them prioritize risk-reduction activities against mission critical systems.

Goal 3 - Reduce Risks to the Federal Government

Similar to responsible companies, the government needs to manage its OSS usage and give back to the OSS community. CISA will evaluate solutions to help federal agencies manage OSS securely.

Goal 4 - Harden the OSS Ecosystem

CISA knows that securing the broader OSS ecosystem benefits us all. They'll work on advancing SBOM (Software Bill of Materials) within OSS supply chains, promoting security education for OSS developers, and publishing best practices for secure OSS usage.

How Will CISA Achieve These Goals?

Now that we've got a handle on the goals let's look at the specific objectives CISA has set to achieve them.

Goal 1 - Establish CISA’s Role in Supporting the Security of OSS

Partnering With OSS Communities

  • CISA plans to become an active member of OSS communities.

  • CISA will establish partnerships, engage in real-time collaboration, and participate in working groups focused on OSS security.

  • A major collaborative focus will be to enhance the maintenance and security of OSS components critical infrastructure such as industrial control system (ICS).

Encouraging Collective Action From Centralized OSS Entities

  • CISA recognizes the influence of centralized OSS entities like package managers.

  • CISA will encourage these entities to play a more active role in enhancing OSS security.

Expand Engagement and Collaboration With International Partners

  • CISA recognizes that OSS affects governments, the private sector and OSS is without borders, impacting the entire world.

  • CISA will engage and collaborate with international partners and allies to enhance OSS security globally.

Establish and Organize CISA’s OSS Work

  • CISA must be structured in way that can implement this roadmap.

  • To increase OSS security expertise, CISA will establish an Open Source Software Security Working Group to coordinate CISA’s work on OSS security.

Goal 2 - Drive Visibility into OSS Usage and Risks

Understanding OSS Software Prevalence

  • CISA wants to know where OSS is used most.

  • CISA will assess OSS prevalence in the federal government and critical infrastructure to identify areas of risk.

Developing a Framework for OSS Risk Prioritization

  • CISA will create a framework for prioritizing OSS risks based on factors like usage, maintenance, and security properties and share that with the public.

  • The framework will identify and categorize OSS components, such as:

    • Usage and existing support, the federal government should directly support.

    • Are malicious, which the federal government should stop using.

    • Are well supported and the government may continue using.

Conducting Risk-Informed Prioritization of OSS Projects in Federal Government and Critical Infrastructure

  • By applying the created framework CISA will prioritize OSS projects with risk informed decision making. This ensures the government focuses resources only on the most critical dependencies.

Understanding Threats to Critical OSS Dependencies

  • CISA will continuously assess threats to critical OSS dependencies and issue alerts when necessary.

Goal 3 - Reduce Risks to the Federal Government

Evaluate Solutions to Aid in Secure Usage of OSS

  • CISA will explore tools and capabilities to help federal agencies manage OSS securely.

Develop Open Source Program Office Guidance For Federal Agencies

  • CISA will provide best practice guidance for federal agencies looking to implement open source program offices (OSPOs).

Drive Prioritization of Federal Actions in OSS Security

  • CISA will collaborate with other agencies to identify policies and resources for enhancing OSS security.

Goal 4 - Harden the OSS Ecosystem

Continue to Advance SBOM Within OSS Supply Chains

  • CISA will work on SBOM (Software Bill of Materials) standardization and automating dependency data generation within the OSS ecosystem.

Foster Security Education for Open Source Developers

  • CISA will support security education for OSS developers and publish toolkits with best practices.

  • Helping developers answer questions such as how to ensure the security of open source?

Publish Guidance on OSS Security Usage Best Practices

  • CISA will share best practices for securely using OSS with federal agencies and critical infrastructure organizations.

  • CISA will provide guidance to answer consumer questions such as “How to use open source safely and securely?”

Foster OSS Vulnerability Disclosure and Response

  • CISA will coordinate vulnerability disclosure and response for OSS vulnerabilities.

  • Coordination efforts will include such things looking for upstream issues and quickly notifying affected users once vulnerabilities are identified.

Wrapping it Up

And there you have it, fellow travelers through the intricate realm of open source software security! We've embarked on a thrilling journey, dissecting CISA's Open Source Software Security Roadmap, and I hope you've found it as enlightening.

As we wrap up this adventure, remember that open source software is a cornerstone of our digital world, powering everything from the apps on our smartphones to the critical systems that keep our infrastructure humming. And in this age of digital interconnectedness, securing these foundations is of paramount importance to everyone. We all have our part to play in reducing risk.

Thank you for joining us on this expedition, and here's to a safer and more secure digital world for us all. Safe travels!