Security News > 2024 > March > Securing open source software: Whose job is it, anyway?
On the government side of things, this includes a voluntary threat intelligence sharing program between the Feds and open source software developers and operators, which the US Cybersecurity and Infrastructure Security Agency will lead. "We want to help foster real-time collaboration around security incidents," CISA director Jen Easterly explained in a keynote address at the agency's Open Source Software Security Summit this week.
While it's not exactly new, in 2022 NPM - which bills itself as the world's largest software registry - began requiring maintainers of high-impact projects to use MFA. Last year, NPM developed tools that allow maintainers to automatically generate package provenance and Software Bill of Materials, which allow anyone using the open source packages to trace and verify code dependencies.
Securing software, with a particular focus on open source software, has been a key focus for the Biden administration since serious vulnerabilities in the open source Java-based Log4j logging library were discovered in late 2021.
In addition to holding software developers liable for selling vulnerable products, Easterly has also repeatedly called on vendors to support open source software security - either via money or dedicated developers to help maintain and secure the open source code that ends up in their commercial projects.
While the Feds' support for open source software is important, patching is even more so, Mike McGuire, a senior software manager at Synopsys, told The Register.
Synopsys recently published its 2024 open source security report, and McGuire pointed to its findings: "When over 70 percent of commercial applications have a high-risk open source vulnerability, and the average age of all vulnerabilities is 2.8 years old, it's clear that the biggest concern is not with the open source community, but with the organizations failing to keep up to date with the varying security patching work that the community is doing." .