The Cybersecurity and Infrastructure Security Agency (CISA) is continuing its progress toward a secure open-source software (OSS) ecosystem by offering scalable solutions for organizations to assess the trustworthiness of their OSS dependencies.
Open-source software is a critical component of the software supply chain and its use is only growing, with OpenLogic’s 2024 State of Open Source Report finding 95% of organizations increased or maintained their OSS use over the past year.
Although OSS offers benefits for cost savings, functionality and flexibility in software development, the OSS ecosystem faces unique security challenges due to the degree of separation between the software authors and its users.
The lack of a supplier-purchaser relationship places the responsibility of assessing a software’s trustworthiness on its users, who must use due diligence to continually monitor the projects they rely on, according to CISA.
The open-source supply chain is also a popular target for threat actors, who may seek to infiltrate the supply chain by compromising or imitating legitimate projects, or even by popularizing their own seemingly legitimate project before slipping in malicious components, as seen in the xz utils fiasco.
The compromise of Polyfill.js last month is another example of how open-source projects can “go rogue,” demonstrating the need to continually assess their trustworthiness over time. Additionally, the recent discovery by Phylum of trojanized versions of the popular jQuery library on npm, GitHub and jsDelivr emphasizes the widespread and persistent targeting of open-source repositories by malicious actors.
In a blog post Monday, CISA Open Source Software Security Section Chief Aeva Black outlined a four-part framework organizations should use to evaluate OSS trustworthiness. The four dimensions that should be assessed include:
- The project: Who are the active contributors? Have there been any sudden changes in account ownership?
- The product: How robust is the code? Are there any known vulnerabilities or deprecated dependencies?
- Protections: Do the project owners maintain security measures such as requiring two-factor authentication on developer accounts?
- Policies: Does the project require code review or provide a process for responsible disclosure of vulnerabilities?
In order to maintain a secure OSS ecosystem, the assessment process using this framework must be scalable given the enormous number of open-source dependences organizations must track. According to the Synopsys 2024 Open Source Security and Risk Analysis Report, the average number of open source components in an application was 526, making regular manual assessment of each component all but impossible.
CISA is working to make the task of OSS security assessment more feasible by funding the development of an open-source tool called Hipcheck, which automates measurement of the four framework dimensions. Maintained by the MITRE Corporation, Hipcheck quickly analyzes Git source repositories and open-source packages and flags high-risk components.
“As work on both the framework and supporting tools continue to progress, we will improve our capability to assess OSS trustworthiness at scale, which in turn will benefit federal agencies, critical infrastructure, and the American public at large,” Black wrote.