The National Security Agency, Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence and industry partners have issued a cybersecurity technical report offering recommendations to ensure the security of the software supply chain.
NSA said Monday the document backs development activities of a single developer and large companies and focuses on the management of open source software, or OSS, and software bills of materials, or SBOMs.
The guidance recommends seven areas of improvement related to OSS and software development designed to enable organizations to mature their software development processes: open source selection criteria; risk assessment; licensing; export control; maintenance; vulnerability response; and secure software and SBOM delivery.
“Open source software is an essential and valuable component in many commercial and public-sector products and services, and collaboration on open source software often enables great cost-savings for participants,” said Aeva Black, open source software security lead at CISA.
Black added that the guide could help organizations improve the security and safety of their open source software management practices.
The document describes the process for creating and maintaining a company internal secure open-source repository and outlines the process for maintaining, monitoring and updating OSS.
