The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will begin providing more hands-on support to open source software developers to help make their projects more secure, the agency said. From the report: CISA hosted a two-day, invitation-only summit this week with open source software community leaders and other federal officials. During the private event, it also conducted what is likely the first tabletop exercise to assess how well a government agency and open source community would respond to a cyberattack targeting one of its projects.
During the summit, CISA and several package repositories announced new initiatives to help secure open source projects. CISA is working to create new communication channels for open source software developers to share threat intelligence and seek assistance from government agencies during incidents. The Rust Foundation is developing a new public key infrastructure for repositories. This helps developers ensure that the code they are uploading is not malicious and comes from a legitimate user.
npm, which manages the JavaScript programming language, is rolling out a tool that requires project managers to enroll in multi-factor authentication and generates a “software bill of materials” that provides a recipe list of code and other elements included in a project. I am. . Additional repositories such as the Python Software Foundation, Packagist, Composer, and Maven Central are also promoting similar projects and deploying tools to help detect and report malware and other security vulnerabilities.
