Seven open source foundations are coming together to create common specifications and standards for the European Cyber Resilience Act (CRA), a regulation adopted by the European Parliament last month.
The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation are pooling their collective resources and connecting the dots between existing security best practices in open source software development. When the new law takes effect in 2020, the much-maligned software supply chain will be up to the task.
component
It is estimated that between 70% and 90% of today's software is made up of open source components, many of which are developed for free by programmers in their free time and at their own expense.
The Cyber Resilience Act was first published in draft form nearly two years ago with the aim of codifying cybersecurity best practices for both hardware and software products sold across the European Union. It is designed to force all manufacturers of internet-connected products to stay up-to-date with all the latest patches and security updates, with penalties for defects. It is provided.
Penalties for these violations include fines of up to 15 million euros or 2.5% of global turnover.
In its original form, the law drew intense criticism from a number of third-party organizations, including one who wrote an open letter last year saying the law could have a “chilling effect” on software development. It also includes more than a dozen open source industry organizations. The core of the complaint centers on how “upstream” open source developers are held responsible for security flaws in downstream products, leaving volunteer project managers vulnerable to legal retaliation. Fear is deterring them from working on key components (this is the EU AI law approved last month).
The language within the CRA regulations provided some protection to the open source space, as long as developers who are not interested in commercializing their works are technically exempt. However, this language was open to interpretation as to what exactly constituted “commercial activity.” For example, do sponsorships, grants, and other forms of financial aid count?
Several changes were ultimately made to the text, and the revised law substantially addressed concerns by clarifying the exclusion for open source projects.
Although the new regulations have already been approved, they are not expected to come into force until 2027, giving all parties time to meet the requirements and iron out some details of what is expected. And this is what seven open source foundations are now coming together.
documentation
The way many open source projects evolve means that documentation is often patchy (if it even exists), which not only makes auditing difficult to support, but also allows downstream manufacturers and developers to create their own It also makes it difficult to develop a CRA process.
While many better-resourced open source initiatives already have appropriate best practice standards in place related to things like coordinated vulnerability disclosure and peer review, each organization uses different methodologies and terminology. may be. Coming together should go some way toward treating open source software development as a single “thing” bound by the same standards and processes.
Given other proposed regulations, such as the U.S. Open Source Software Protection Act, it is clear that various foundations and “open source stewards” will come under increased scrutiny for their role in the software supply chain.
“While open source communities and foundations typically adhere to industry best practices for security and have historically been well-established, their approaches often lack consistency and comprehensive documentation. Yes,” the Eclipse Foundation said in a blog post today. “The open source community and the broader software industry now share a common challenge: legislation creates an urgent need for cybersecurity process standards.
The new collaboration will initially consist of seven foundations, but in Brussels it will be led by the Eclipse Foundation, home to hundreds of individual open source projects across developer tools, frameworks, specifications, and more. Members of the foundation include Huawei, IBM, Microsoft, Red Hat, and Oracle.