CISA and OpenSSF release framework for package repository security

The US Cybersecurity and Infrastructure Security Agency (CISA) announced that it is partnering with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish a new framework for securing package repositories.

Called the Principles for Package Repository Security, the framework aims to establish a set of ground rules for package managers and further harden the open-source software ecosystem.

“Package repositories are at a critical point in the open-source ecosystem to help prevent or mitigate such attacks,” OpenSSF said.

“Even simple actions like a documented account recovery policy can yield strong security improvements. At the same time, capabilities must be balanced with the resource constraints of package repositories, many of which are operated by nonprofit organizations.”

Specifically, the principles set four security maturity levels for package repositories in the four categories of authentication, authorization, general capabilities, and command-line interface (CLI) tooling –

  • Level 0 – Having very low security maturity.
  • Level 1 – Basic security maturity, such as multi-factor authentication (MFA) and allowing security researchers to report vulnerabilities
  • Level 2 – Having moderate security, which includes actions such as requiring MFA for critical packages and warning users about known security vulnerabilities
  • Level 3 – with advanced security, which requires MFA for all maintainers and supports build provenance for packages

Framework authors Jack Cable and Zach Steindler say that all package management ecosystems should work towards at least Level 1.

The ultimate objective is to allow package repositories to self-assess their security maturity and develop a plan to strengthen their guardrails over time as security improves.

“Security threats change over time, and so do the security capabilities that respond to those threats,” OpenSSF said. “Our goal is to help package repositories more quickly deliver security capabilities that best help strengthen the security of their ecosystem.”

The development comes as the US The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of security risks arising as a result of using open-source software for maintaining patient records, inventory management, prescriptions, and billing.

A threat brief published in December 2023 said, “Although open-source software is the foundation of modern software development, it is also often the weakest link in the software supply chain.”

Related posts

Kimsuky’s New Golang Stealer ‘Troll’ and ‘GoBear’ Backdoor Targets South Korea

Critical JetBrains TeamCity on-Premises Flaw exposes servers to takeover – Patch Now

Cloudflare breach: Nation-state hackers access source code and internal documents

2 comments

temp mail October 22, 2024 - 8:55 pm
Thanks I have just been looking for information about this subject for a long time and yours is the best Ive discovered till now However what in regards to the bottom line Are you certain in regards to the supply
🗃 Ticket: Operation #BB85. LOG IN >> https://telegra.ph/Go-to-your-personal-cabinet-08-25?hs=3492ae3558199faabe602f782fa62b27& 🗃 October 27, 2024 - 1:40 pm
80nzpx
Add Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More