A new framework to secure package repositories will be published by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) in collaboration with the Open Source Security Foundation ( OSF ) Securing Software Repositories Working Group.
The framework, known as the Principles for Package Repository Security, aims to further harden open-source software ecosystems and establish a set of fundamental guidelines for package managers.
According to OpenSSF, “package repositories are crucial in the open-source ecosystem to help prevent or mitigate such attacks.”
” Strong security improvements can result from even straightforward actions like having a documented account recovery policy.” Capabilities and resource limitations of package repositories, many of which are run by non-profit organizations, must be balanced at the same time.
Notably, the principles outline four levels of security maturity for package repositories, including command-line interface ( CLI ) tooling, authorization, general capabilities, and authentication.
- Level 0: Being extremely inexperienced in security
- Level 1: Being able to report vulnerabilities and having a basic understanding of security, such as multi-factor authentication ( MFA )
- Level 2: Having moderate security, which entails requiring MFA for important packages and alerting users to security flaws.
- Level 3: Advanced security that supports build provenance for packages and necessitates MFA for all maintainers.
According to framework authors Jack Cable and Zach Steindler, all package management ecosystems ought to strive for at least Level 1.
The ultimate goal is to enable package repositories to evaluate their security maturity on their own and develop a strategy for enhancing security over time.
According to OpenSSF,” Security threats change over time, and so do the security capabilities that address those threats.” Our objective is to assist repositories in delivering the security features that will strengthen their ecosystems ‘ security more quickly.
The change comes after the Health Sector Cybersecurity Coordination Center ( HC3 ) of the U.S. Department of Health and Human Services issued a warning about the security risks associated with using open-source software to manage patient records, inventory, prescriptions, and billing.
In a threat brief released in December 2023, it was stated that open-source software is frequently the weakest link in the software supply chain, despite being the foundation of modern software development.