Securing Open Source Software, the Cyber Resilience Act Way

The Eclipse Foundation and other open source organizations are working towards implementing the European Union’s Cyber Resilience Act’s software development security requirements.

If anyone still doubted that we need to do a better job of securing open source software, the recent XZ backdoor security backdoor incident was a loud alarm. The European Union (EU) figured this out a while back. In its Cyber Resilience Act (CRA), it asked the open source community to establish common specifications for secure software development. The Eclipse Foundation and a host of other leading open source organizations, including the Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation and the Rust Foundation, are up for the challenge.

The Eclipse Foundation is spearheading the effort to create a unified framework for secure software development. The foundations and allies are doing this via a new working group, established under the Eclipse Foundation Specification Process.

The collaboration is spurred by more than regulatory compliance. In an era where open source software is pivotal to modern society, the imperative for safety, reliability and security in software has never been more critical. As Arpit Joshipura, the Linux Foundation‘s senior VP of networking, said at the Open Source Summit Europe in Bilbao, Spain, last year, “We must look at the end goal. The end goal for all of us is the same. We want to secure software, and we want to secure open source software.

This process won’t be easy. It will be a highly technical standardization journey. The project will start with the current security policies and procedures of the open source foundations involved. The final result will be process specifications, which will be made freely available under a liberal specification copyright license and a royalty-free patent license.

The Eclipse Foundation and friends aren’t the only ones working on such security efforts. For example, the Open Source Security Foundation (OpenSSF) working group and the Open Source Consumption Manifesto (OSCM) are also working on building best security practices into open source software supply chains.

Under the CRA, the legal person—which is not the same as a flesh-and-blood person reading this story—responsible for these new policies and their implementation will be known as the “Open Source Software Steward.” This will be a heck of a job.

Leaving aside the code and technical issues, the open source groups must work with traditional standards organizations. Historically, neither kind of group has worked well with one other. To make matters worse, standard organization governance models don’t even have a way of dealing with open source groups. Indeed, for the fruits of this effort to make it into regulation, it will require going through the formal standardization processes of at least one of the European Standards Organizations.

This is going to be so much fun!

Adding insult to injury, setting technology standards usually takes years, and the CRA requires developers to have something in place by 2027. Good luck with that!

“There is an enormous amount of work that will need to be done over the next three years to implement the CRA,” Eclipse Foundation executive director Mike Milinkovich said. “It’s the first law anywhere regulating the software industry as a whole. The implications of this go far beyond the open source community and will impact startups and small enterprises as well as global industry players.”

Despite the challenges, the initiative represents a crucial step forward. The working group is optimistic about laying the groundwork for cybersecurity standards that can serve both the open source and proprietary software realms.

I wish them luck. They’ll need it.

Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast Internet connection, and WordStar was the state-of-the-art word processor. And we liked it!

Recent Posts

Logz’s AI Chatbot Makes Your Observability Tools Smart(er)

Everyone is adding AI to their applications. Sometimes that's overkill. But's IQ Assistant, which purports to make the most…

11 hours ago

AlmaLinux Introduces Engineering Steering Committee to Enhance Community Collaboration

AlmaLinux is keeping its Linux community in the technology loop.

1 day ago

Optimizing Microsoft Windows on AWS

To download, please fill out the form below:

2 days ago

Criminal IP: Enhancing Security Solutions through AWS Marketplace Integration

Torrance, United States / California, 22nd May 2024, CyberNewsWire

3 days ago

Words and Meaning

When words lose their meaning in order to attract popular attention, all that's left are slogans intended to shape the…

3 days ago

Microsoft Infuses AI into DevOps Workflows

Microsoft this week added a bevy of tools to its portfolio that infuses generative artificial intelligence (AI) into DevOps workflows.

3 days ago