NSA-Led Group Releases Best Practices for Managing Open-Source Software Risks

A public-private working group led by the National Security Agency has published guidance for managing open-source software and software bills of materials.

Titled “Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,” the new report builds on a recent Office of Management and Budget memorandum, the NSA said Monday.

The NSA, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence led Enduring Security Framework members in creating approaches to describe and evaluate security practices relative to the software lifecycle. The group’s guidance targets single developers and large industry companies.

Aeva Black, CISA’s open-source software security lead, said organizations that do not adhere to a “consistent and secure-by-design management practice” for their open-source software tend to become vulnerable to known exploits and face more challenges in incident response.

According to the NSA, elements of open-source software could have weaknesses that might be exploited by nation-state adversaries.