CISA and OpenSSF Release Framework for Package Repository Security

CISA and OpenSSF Release Framework for Package Repository Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it’s partnering with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish a new framework to secure package repositories.

Called the Principles for Package Repository Security, the framework aims to establish a set of foundational rules for package managers and further harden open-source software ecosystems.

Notably, the principles lay out four security maturity levels for package repositories across four categories of authentication, authorization, general capabilities, and command-line interface (CLI) tooling –

  • Level 0 – Having very little security maturity
  • Level 1 – Having basic security maturity, such as multi-factor authentication (MFA) and allowing security researchers to report vulnerabilities
  • Level 2 – Having moderate security, which includes actions like requiring MFA for critical packages and warning users of known security vulnerabilities
  • Level 3 – Having advanced security, which requires MFA for all maintainers and supports build provenance for packages

All package management ecosystems should be working towards at least Level 1, the framework authors Jack Cable and Zach Steindler note.

The development comes as the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of security risks arising as a result of using open-source software for maintaining patient records, inventory management, prescriptions, and billing.

“While open-source software is the bedrock of modern software development, it is also often the weakest link in the software supply chain,” it said in a threat brief published in December 2023.