Sed ut perspiciatis unde. The agency’s roadmap outlines a plan for prioritizing where open source Software makes infrastructure potentially vulnerable. The US Cybersecurity and Infrastructure Security Agency released four priorities for securing open source software ecosystems on Tuesday, September 12. Specifically, the roadmap will be used to develop a framework to prioritize risk. This framework will then guide the federal government and critical infrastructure organizations in choosing which open source security projects to launch first.Jump to:The CISA’s roadmap sets up steps toward the following:The full roadmap can be found in a PDF linked in CISA’s blog post. The roadmap will result in a process by which CISA can continually monitor open source software security risks. CISA also plans to create a guide to best practices in open source security for government entities and critical infrastructure organizations, according to the roadmap.“We envision a world in which every critical OSS (open source software) project is not only secure but sustainable and resilient, supported by a healthy, diverse and vibrant community. In this world, OSS developers are empowered to make their software as secure as possible,” CISA wrote.The new roadmap is part of the federal National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan. The roadmap is significant because it provides next steps for how CISA might work with companies and nonprofit groups using and developing open source software.SEE: Explore our picks for the 8 best open source project management software in 2023. (TechRepublic) CISA notes that open source software can lead to great innovation; however, CISA said, vulnerabilities like the widespread Log4shell vulnerability in 2021 mean open source software can introduce insidious flaws in widely-used code. In addition, supply chain attacks can make open source software vulnerable.CISA’s roadmap contains groundwork for possible application of the actions detailed in the Securing Open Source Software Act of 2023. This is a bill introduced in Congress in September 2022; it highlights the importance of the open source community to the tech industry and calls for CISA to work more directly with the open source community in matters of national security. The Securing Open Source Software Act was introduced to Congress in March 2023 and has not yet passed in the House of Representatives.The alternative to a federal act is for organizations to vet their own transitive dependencies. Transitive dependencies are the links free or open source software has to other open source code. These could be locked down using a method such as a software bill of materials.The open source security roadmap is one of many documents currently circulating in the U.S. federal realm related to aligning the open source community with high-stakes security needs. Representatives from CISA attended the Secure Open Source Software Summit 2023 to discuss open source security standards with other government agencies and members of the industry on September 13. They addressed possible open source security concerns in critical infrastructure, public health and safety, economic stability or national security.The meeting resulted in the creation of three objectives for the next year:“While government agencies have made progress in addressing open source security, it is evident that further action is needed to enhance the protection of critical infrastructure and corporate assets,” said Mike Walters, vice president of vulnerability and threat research and co-founder of patch management software company Action1, in an email to TechRepublic.“The risks that organizations face from open source vulnerabilities are significant and can have devastating consequences,” Walters said. “By investing in comprehensive security measures, fostering collaboration and enforcing secure practices, we can build a resilient ecosystem that encourages innovation while protecting against potential threats.” Source link Save my name, email, and website in this browser for the next time I comment.By using this form you agree with the storage and handling of your data. * Δdocument.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );Tech dedicated news site to equip you with all tech related stuff.I agree that my submitted data is being collected and stored.✉️ Send us an emailTechToday © 2023. All Rights Reserved.TechToday.co is a technology blog and review site specializing in providing in-depth insights into the latest news and trends in the technology sector.TechToday © 2023. All Rights Reserved.Be the first to know the latest updatesI agree that my submitted data is being collected and stored.