CISA Collaborative Weighs in on Open Source Software Security
The Cybersecurity and Infrastructure Security Agency has released new joint guidance developed by its flagship public-private collaborative on open source software security in operational technology and industrial control systems.
The Joint Cyber Defense Collaborative — which includes federal entities like the FBI and private sector partners across a wide range of sectors — published a series of recommendations on Tuesday for operational technology vendors and critical infrastructure facilities to promote the secure use of open source software.
The JCDC identified security challenges that open source software and operational technology share with all software systems, including a lack of commercial support, insufficiently documented software and dependence on various libraries and components that can potentially introduce cyber risks into the software.
The guidance also noted that many operational technology systems and networks "are too often exposed to cyber threat actors targeting control systems and the critical infrastructure they operate," and recommended implementing routine security updates and regular patching to address known exploited vulnerabilities.
The JCDC called on the open source vendor community to further participate in the development and maintenance of such software’s security, from partnering with open source software foundations and participating in grant programs, to supporting the adoptions of enhanced security measures and other critical practices throughout the software development lifecycle.
Other recommendations include leveraging common vulnerability identifiers and enhanced vulnerability management processes, as well as CISA's no-cost services that can help with risk exposure reduction. The agency provides partners with free network scanning and testing operations and offers security reviews that can detect vulnerabilities in internet-connected software.
CISA Associate Director Clayton Romans described the recommendations as "actionable solutions" that will "help further reduce risk to our nation's critical infrastructure" in a press release.
The agency urged organizations developing open source software to establish coordinated vulnerability disclosure programs as part of an effort to expand transparency and accountability around the responsible disclosure of security vulnerabilities in products and services.
The guidance encouraged vendors to maintain a comprehensive, updated asset inventory and highlighted the benefits that software bills of material can provide in identifying vulnerabilities due to out-of-date open source software dependencies.
Organizations should also establish Open Source Program Offices to coordinate operations and maintain the security of various tools and components, the report said.