The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it is working with the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories working group to publish a new framework for securing package repositories.
Called the Principles for package repository securitythe framework aims to establish a set of ground rules for package managers and further strengthen open source software ecosystems.
“Package repositories are at a critical point in the open source ecosystem to help prevent or mitigate such attacks,” OpenSSF said.
“Even simple actions like having a documented account recovery policy can lead to robust security improvements. At the same time, capabilities must be balanced with the resource constraints of package repositories, many of which are operated by non-profit organizations. profit.”
Specifically, the principles establish four levels of security maturity for package repositories across four categories of authentication, authorization, general capabilities, and command line interface (CLI) tools:
- Level 0 – Have very little maturity in terms of security.
- Level 1 – Have basic security maturity, such as multi-factor authentication (MFA) and enable security researchers to report vulnerabilities
- Level 2 – Have moderate security, which includes actions such as requiring MFA for critical packages and notifying users of known security vulnerabilities
- Level 3 – Features advanced security, requiring MFA for all maintainers and supports build provenance for packages
All package management ecosystems should work towards at least level 1, note framework authors Jack Cable and Zach Steindler.
The ultimate goal is to enable package repositories to self-assess their security maturity and formulate a plan to strengthen their guardrails over time in the form of security improvements.
“Security threats change over time, as do the security capabilities that address those threats,” OpenSSF said. “Our goal is to help repositories more quickly package the security features that best help strengthen the security of their ecosystems.”
The development comes as the US Department of Health and Human Services’ Healthcare Cybersecurity Coordination Center (HC3) warned of security risks from using open source software to maintain patient health records. patients, inventory management, prescriptions and billing.
“While open source software is the foundation of modern software development, it is also often the weakest link in the software supply chain,” reads a threat note published in December 2023.