The National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), and the Cybersecurity and Infrastructure Security Agency (CISA) have released a new report providing guidance on industry best practices on open source software and software bills of materials (SBOM).
The report – titled Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials – covers development activities and software supply chain security practices to curb risks from open source software use.
“Open source software is an essential and valuable component in many commercial and public-sector products and services, and collaboration on open source software often enables great cost-savings for participants,” said Aeva Black, CISA open source software security lead.
“However, organizations that do not follow a consistent and secure-by-design management practice for the open source software they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident,” she said.
Other key elements of the report include details on open source software adoption and things to consider when evaluating and “deploying an open source component into an existing product development environment,” the security and intelligence agencies said.
The document covers recommendations in the following areas:
- Open source selection criteria;
- Risk assessment;
- Licensing;
- Export control;
- Maintenance;
- Vulnerability response; and
- Secure software and SBOM delivery.
“Stakeholders should continually mitigate security concerns specific to their area of responsibility,” the report says. “However, other concerns may require a mitigation approach that dictates a dependency on another stakeholder or a shared responsibility by multiple stakeholders.”