The foundation behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender has announced plans to create a “common specification for secure software development” based on “existing open source best practices.”
From the Eclipse Foundation:
This collaboration will be hosted by the Brussels-based Eclipse Foundation. [an international non-profit association] Under the auspices of the Eclipse Foundation's specification process and new working groups, other code-hosting open source foundations, small businesses, industry participants, and researchers are invited to participate as well.
The starting point for this highly technical standardization effort is each open source foundation's current existing security policies and procedures, as well as similar documents that describe best practices.
Governance of the working group will follow the Eclipse Foundation's usual member-driven model, but will be enhanced by explicit representation from the open source community to ensure diversity and balance in decision-making. The contents of the deliverables are as follows: one or more process specifications It is available under a free specification copyright license and a royalty-free patent license…Although open source communities and foundations generally adhere to industry best practices regarding security and are historically established. , the approach often lacks consistency and comprehensive documentation.
The open source community and the broader software industry currently share a common challenge. That means the law creates an urgent need for cybersecurity process standards.
The Apache Foundation notes that the working group is being set up as part of its aim to “demonstrate its commitment to cooperation and implementation” of the EU's cyber resilience legislation. However, ahead of its 2027 effective date, the Eclipse Foundation recognizes open source software's “increasingly important role in modern society” and the growing need for reliability, safety, and security, so the CRA will He added that new regulations such as “emphasize” There is an urgent need for secure designs and robust supply chain security standards. ”
In their announcement, “It is also important to note that these standards equally need to be developed in a way that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium-sized enterprises.” ” is added. But at the same time, “more than 80% of today's global software infrastructure is open source… [W]When we discuss “software supply chain,” we primarily refer to, but are not limited to, open source. ”
“We invite you to join us in our collaborative effort to create specifications for secure open source development,” the announcement concludes, promising to update the effort with a new mailing list. , industry leaders, and researchers are working together to tackle big challenges. ”
The Python Foundation's announcement calls it a “community-driven initiative” that will have “a lasting impact on the future of cybersecurity and the shared open source community.”
