CISA Put Securing Open Source Software on the Roadmap
The government’s top cybersecurity agency is laying out steps it says are necessary to ensure that open source software, which is increasingly ubiquitous in modern IT environments, is secure.
The eight-page document released this week by the Cybersecurity and Infrastructure Security Agency (CISA) outlines four broad goals – along with multiple objectives – that it says will reduce the number of software supply-chain attacks like the high-profile SolarWinds and Kaseya incidents and reduce the expansive impacts of vulnerabilities like those found in the Log4j open source logging tool.
“We envision a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community,” the authors of the report wrote. “In this world, OSS developers are empowered to make their software as secure as possible.”
The goals also encourage those behind the open source projects to better manage the security of the software they’re working on and that those organizations using the software do so responsibly and contribute back to the efforts to make it more secure.
The roadmap – in the first goal listed – also lays out the prominent role CISA plays in enhancing the security of open source software for both federal agencies and commercial organizations. The agency also wants to ensure the efforts dovetail with The White House’s larger cybersecurity strategy.
CISA plans to partner with various open source software communities to both better understand the role of the software in the industry and give members a channel back to the agency. CISA also will work with international organizations, agencies, and communities to strength open source software security.
The agency also wants to better understand where open source components are used in the software federal agencies and critical infrastructure and the risks they pose and to develop a framework for prioritizing those risks.
Reducing Risk, Hardening the Ecosystem
Other goals include reducing the risks to the federal government and harden the larger open source software ecosystem, from enhancing vulnerability disclosure and response processes, supporting security education for developers, and improving the standard use of software bills of materials (SBOMs), which are inventories of call the components that make up a piece of software, somewhat akin to nutrition labels on food products.
Understanding what’s in the software should make it easier to suss out where the risks might lie, though SBOMs aren’t the end-all. For example, while they can tell an organization what components make up the software it’s using, they don’t always detail the codebases that make up those components.
CISA’s roadmap comes just more than a month after the agency requested input from developers and others in the tech industry into the project.
Open Source Software is Everywhere
The focus on open source software is not surprising, given that most commercial software contains open source components. According to a Synopsys report, 96% of studied codebases include open source elements, and 76% of the code in the codebases contained open source components.
“[I]t’s so intertwined in modern development that code owners often don’t know the open source components in their own software,” authors of the Synopsys report wrote.
That’s been a problem with the Log4j vulnerability. Because the component can communicate with other services on a system, the flaw allowed threat actors to deploy malicious code into the logs and compromise the system, ensuring what CISA called the “cascading” effect of bugs in widely used open source software.
By some counts, the Log4j vulnerability effected hundreds of millions of devices and systems.
Supply-Chain Attacks are a Worry
Another concern is the supply chain attacks, where attackers inject malware into open source components that are then used in software, essentially compromising downstream organizations that use the software. Such was the case of SolarWinds and Kaseya, which effected about 1,500 organizations.
“Examples include an attacker compromising a developer’s account and committing malicious code, or a developer intentionally inserting a backdoor into their package,” CISA wrote in its roadmap.
According to the Identity Theft Resource Center (ITRC), more than 10 million people were affected by supply-chain attacks last year, with more than 1,700 organizations being targeted. There were 40% more supply-chain attacks than malware attacks in 2022, the ITRC found.
And those attacks on the rise. The ITRC said in March that the number of attacks the center had tracked in the first quarter of 2023 already equaled 40% of what it had found all of last year. The center also cited a 2022 report from the Cyentia Institute and SecurityScorecard that found that 98% of organizations surveyed had at least one third-party vendor hit by a data breach.
The roadmap is only part of CISA’s software security push. The agency already has its Secure By Design program in place, and most recently turned its attention to the threats posed by remote monitoring and management (RMM) tools and the burgeoning AI ecosystem.