The US Cybersecurity and Infrastructure Security Agency (CISA) announced that it is partnering with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish a new framework for securing package repositories.
Called the Principles for Package Repository Security, the framework aims to establish a set of ground rules for package managers and further harden the open-source software ecosystem.
“Package repositories are at a critical point in the open-source ecosystem to help prevent or mitigate such attacks,” OpenSSF said.
“Even simple actions like a documented account recovery policy can yield strong security improvements. At the same time, capabilities must be balanced with the resource constraints of package repositories, many of which are operated by nonprofit organizations.”
Specifically, the principles set four security maturity levels for package repositories in the four categories of authentication, authorization, general capabilities, and command-line interface (CLI) tooling –
- Level 0 – Having very low security maturity.
- Level 1 – Basic security maturity, such as multi-factor authentication (MFA) and allowing security researchers to report vulnerabilities
- Level 2 – Having moderate security, which includes actions such as requiring MFA for critical packages and warning users about known security vulnerabilities
- Level 3 – with advanced security, which requires MFA for all maintainers and supports build provenance for packages
Framework authors Jack Cable and Zach Steindler say that all package management ecosystems should work towards at least Level 1.
The ultimate objective is to allow package repositories to self-assess their security maturity and develop a plan to strengthen their guardrails over time as security improves.
“Security threats change over time, and so do the security capabilities that respond to those threats,” OpenSSF said. “Our goal is to help package repositories more quickly deliver security capabilities that best help strengthen the security of their ecosystem.”
The development comes as the US The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of security risks arising as a result of using open-source software for maintaining patient records, inventory management, prescriptions, and billing.
A threat brief published in December 2023 said, “Although open-source software is the foundation of modern software development, it is also often the weakest link in the software supply chain.”