{"id":52264,"date":"2023-09-12T15:21:04","date_gmt":"2023-09-12T19:21:04","guid":{"rendered":"https:\/\/sdtimes.com\/?p=52264"},"modified":"2024-04-22T16:25:46","modified_gmt":"2024-04-22T20:25:46","slug":"cisa-releases-roadmap-for-securing-open-source-software","status":"publish","type":"post","link":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/","title":{"rendered":"CISA releases roadmap for securing open-source software"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an <\/span><a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\"><span style=\"font-weight: 400;\">executive order<\/span><\/a><span style=\"font-weight: 400;\"> to improve cybersecurity, and since then it has made progress in <\/span><a href=\"https:\/\/sdtimes.com\/security\/white-house-reveals-new-plan-for-how-u-s-addresses-cybersecurity\/\"><span style=\"font-weight: 400;\">providing guidance<\/span><\/a><span style=\"font-weight: 400;\"> to companies on how to actually meet these cybersecurity goals.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Now the U.S. federal Cybersecurity &amp; Infrastructure Security Agency (CISA) is building on that work with a new roadmap specifically for securing open-source software (OSS).\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cCISA recognizes the immense benefits of open source software, which enables software developers to work at an accelerated pace and fosters significant innovation and collaboration. With these benefits in mind, this roadmap lays out how CISA will help enable the secure usage and development of OSS, both within and outside the federal government,\u201d CISA wrote in the <\/span><a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-09\/CISA-Open-Source-Software-Security-Roadmap-508c%20%281%29.pdf\"><span style=\"font-weight: 400;\">document for the roadmap<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The roadmap defines two major types of open-source vulnerabilities. The first is the cascading effects of vulnerabilities for widely used open-source software. It cited Log4Shell as an example of the widespread consequences that could result from open-source software being compromised.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The second is supply chain attacks on open-source repositories, which could result in negative downstream impacts, such as a developer\u2019s account being compromised and an attacker using it to commit malicious code.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The roadmap lists four key priorities: establishing its own role in supporting security of open source, driving visibility into usage and risks of open source, reducing risks to the federal government, and hardening the open-source ecosystem.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to CISA, this will all help it achieve its vision for open-source software, which is one in which \u201cevery critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Dan Lorenc, co-founder and CEO of supply chain security company <\/span><a href=\"https:\/\/www.chainguard.dev\/\"><span style=\"font-weight: 400;\">Chainguard<\/span><\/a><span style=\"font-weight: 400;\">, feels that CISA has done a good job in segmenting the problems in this field and then prioritizing work to address them.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">He also said they did a good job at recognizing that the work needs to \u201chappen upstream, and CISA employees will need to engage directly with communities,\u201d though he said he still remains skeptical on how that will actually go, but is trying to stay optimistic.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lorenc recommends the government put some efforts into actually funding open-source projects, which the roadmap currently doesn\u2019t address at all.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cThe government doesn\u2019t have a great reputation for helping out with direct code or other contributions, but they do have the ability to help fund work already being done to achieve many of these roadmap items, such as memory safety, vulnerability remediation and SBOM tooling,\u201d Lorenc told SD Times. \u201cThe government collaboration model here can\u2019t be \u2018you push, we\u2019ll steer.&#8221;<\/span><\/p>\n<!-- AddThis Advanced Settings generic via filter on the_content --><!-- AddThis Share Buttons generic via filter on the_content -->","protected":false},"excerpt":{"rendered":"<p>Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an executive order to improve cybersecurity, and since then it has made progress in providing guidance to companies on how to actually meet these cybersecurity goals.\u00a0 Now the U.S. federal Cybersecurity &amp; Infrastructure Security Agency  &hellip; <a class=\"read-more\" href=\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\">continue reading<\/a><!-- AddThis Advanced Settings generic via filter on get_the_excerpt --><!-- AddThis Share Buttons generic via filter on get_the_excerpt --><\/p>\n","protected":false},"author":752,"featured_media":52265,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"cybocfi_hide_featured_image":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[1],"tags":[7124,16924,45,16101],"coauthors":[11687],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CISA releases roadmap for securing open-source software - SD Times<\/title>\n<meta name=\"description\" content=\"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISA releases roadmap for securing open-source software - SD Times\" \/>\n<meta property=\"og:description\" content=\"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\" \/>\n<meta property=\"og:site_name\" content=\"SD Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SDTimesD2\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-12T19:21:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-22T20:25:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jenna Barron\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:site\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jenna Barron\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\"},\"author\":{\"name\":\"Jenna Barron\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786\"},\"headline\":\"CISA releases roadmap for securing open-source software\",\"datePublished\":\"2023-09-12T19:21:04+00:00\",\"dateModified\":\"2024-04-22T20:25:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\"},\"wordCount\":451,\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg\",\"keywords\":[\"CISA\",\"secrets management\",\"security\",\"Supply Chain Security\"],\"articleSection\":[\"Latest News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\",\"url\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\",\"name\":\"CISA releases roadmap for securing open-source software - SD Times\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg\",\"datePublished\":\"2023-09-12T19:21:04+00:00\",\"dateModified\":\"2024-04-22T20:25:46+00:00\",\"description\":\"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.\",\"breadcrumb\":{\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg\",\"width\":1920,\"height\":1280},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sdtimes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISA releases roadmap for securing open-source software\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sdtimes.com\/#website\",\"url\":\"https:\/\/sdtimes.com\/\",\"name\":\"SD Times\",\"description\":\"Software Development News\",\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sdtimes.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/sdtimes.com\/#organization\",\"name\":\"SD Times\",\"url\":\"https:\/\/sdtimes.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"width\":225,\"height\":90,\"caption\":\"SD Times\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/SDTimesD2\",\"https:\/\/x.com\/sdtimes\",\"https:\/\/www.linkedin.com\/company\/sdtimes\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786\",\"name\":\"Jenna Barron\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/image\/b4be3423b187642936e62f121111345e\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g\",\"caption\":\"Jenna Barron\"},\"description\":\"Jenna Barron is News Editor of SD Times.\",\"url\":\"https:\/\/sdtimes.com\/author\/jennifer-sargent\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISA releases roadmap for securing open-source software - SD Times","description":"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/","og_locale":"en_US","og_type":"article","og_title":"CISA releases roadmap for securing open-source software - SD Times","og_description":"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.","og_url":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/","og_site_name":"SD Times","article_publisher":"https:\/\/www.facebook.com\/SDTimesD2","article_published_time":"2023-09-12T19:21:04+00:00","article_modified_time":"2024-04-22T20:25:46+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg","type":"image\/jpeg"}],"author":"Jenna Barron","twitter_card":"summary_large_image","twitter_creator":"@sdtimes","twitter_site":"@sdtimes","twitter_misc":{"Written by":"Jenna Barron","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#article","isPartOf":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/"},"author":{"name":"Jenna Barron","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786"},"headline":"CISA releases roadmap for securing open-source software","datePublished":"2023-09-12T19:21:04+00:00","dateModified":"2024-04-22T20:25:46+00:00","mainEntityOfPage":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/"},"wordCount":451,"publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"image":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg","keywords":["CISA","secrets management","security","Supply Chain Security"],"articleSection":["Latest News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/","url":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/","name":"CISA releases roadmap for securing open-source software - SD Times","isPartOf":{"@id":"https:\/\/sdtimes.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage"},"image":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg","datePublished":"2023-09-12T19:21:04+00:00","dateModified":"2024-04-22T20:25:46+00:00","description":"Securing software supply chains that include open sourcehas been a big focus of the Biden administration.","breadcrumb":{"@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#primaryimage","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/09\/pexels-andrew-neel-2859169.jpg","width":1920,"height":1280},{"@type":"BreadcrumbList","@id":"https:\/\/sdtimes.com\/security\/cisa-releases-roadmap-for-securing-open-source-software\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sdtimes.com\/"},{"@type":"ListItem","position":2,"name":"CISA releases roadmap for securing open-source software"}]},{"@type":"WebSite","@id":"https:\/\/sdtimes.com\/#website","url":"https:\/\/sdtimes.com\/","name":"SD Times","description":"Software Development News","publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sdtimes.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sdtimes.com\/#organization","name":"SD Times","url":"https:\/\/sdtimes.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","width":225,"height":90,"caption":"SD Times"},"image":{"@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/SDTimesD2","https:\/\/x.com\/sdtimes","https:\/\/www.linkedin.com\/company\/sdtimes\/"]},{"@type":"Person","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786","name":"Jenna Barron","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/image\/b4be3423b187642936e62f121111345e","url":"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g","caption":"Jenna Barron"},"description":"Jenna Barron is News Editor of SD Times.","url":"https:\/\/sdtimes.com\/author\/jennifer-sargent\/"}]}},"_links":{"self":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52264"}],"collection":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/users\/752"}],"replies":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/comments?post=52264"}],"version-history":[{"count":1,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52264\/revisions"}],"predecessor-version":[{"id":52266,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52264\/revisions\/52266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media\/52265"}],"wp:attachment":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media?parent=52264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/categories?post=52264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/tags?post=52264"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/coauthors?post=52264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}