Home » Cybersecurity » Application Security » EU Cyber Resilience Act: Good for Software Supply Chain Security, Bad for Open Source?
EU Cyber Resilience Act: Good for Software Supply Chain Security, Bad for Open Source?
Following the software supply chain attack on Solarwinds and the worldwide panic from the vulnerability affecting Log4j, government and regulatory bodies around the world have been trying to address this looming problem: How do you secure and protect software supply chains as they become a greater target for cybersecurity attacks?
In the United States, the two Presidential Executive Orders of February 2021 and May 2021 started the conversation about protecting critical U.S. federal systems from cyberattacks. This has since turned into a steady drumbeat of activity intensifying and spreading beyond the borders of the United States and into the private sector.
For example:
- NIST has put out several publications, including the comprehensive guidance in “Software Security in Supply Chains,.”
- OMB issued another memorandum called “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.”
- Several legislative routes are being discussed, including the Securing Open Source Act of 2022 (introduced in the Senate in September).
- There are industry initiatives like the Linux Foundation’s OpenSSF Open Source Software Security Mobilization Plan (which I’ve been a part of) that aim to provide guidance on the topic as well.
There are industry initiatives like the Linux Foundation’s OpenSSF Open Source Software Security Mobilization Plan (which I’ve been a part of) that aim to provide guidance on the topic as well.
Since this is a global concern, other governments are also acting:
- In July 2022 the UK government issued a Proposal for Legislation to “Improve the UK’s Cyber Resilience,” which highlights the immense impact even small security risks in the supply chain can have.
- Germany issued the Information Security Act 2.0 (IT-SiG).
- Japan passed the “Act on Promotion of Economic Security by Integrated Implementation of (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: https://blog.sonatype.com/eu-cyber-resilience-act-good-for-software-supply-chain-security-bad-for-open-source