Seven open source foundations are coming together to create common specifications and standards for Europe’s Cyber Resilience Act (CRA), regulation adopted by the European Parliament last month.
The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation revealed their intentions to pool their collective resources and join the dots between existing security best practices in open source software development — and ensure that the much-maligned software supply chain is up to the task when the new legislation comes into force in three years.
Componentry
It’s estimated that between 70% and 90% of software today is made up of open source components, many of which are developed for free by programmers in their own time and on their own dime.
The Cyber Resilience Act was first unveiled in draft form nearly two years ago, with a view toward codifying best cybersecurity practices for both hardware and software products sold across the European Union. It’s designed to force all manufacturers of any internet-connected product to stay up-to-date with all the latest patches and security updates, with penalties in place for shortcomings.
These non-compliance penalties include fines of up to €15 million, or 2.5% of global turnover.
The legislation in its initial guise prompted fierce criticism from numerous third-party bodies, including more than a dozen open-source industry bodies who last year wrote an open letter saying that the Act could have a “chilling effect” on software development. The crux of the complaints centered on how “upstream” open source developers might be held liable for security defects in downstream products, thus deterring volunteer project maintainers from working on critical components for fear of legal retribution (this is similar to concerns that abounded around the EU AI Act which was greenlighted last month).
The wording within the CRA regulation did offer some protections for the open source realm, insofar as developers not concerned with commercializing their work were technically exempt. However, the language was open to interpretation in terms of what exactly fell under the “commercial activity” banner — would sponsorships, grants, and other forms of financial assistance count, for example?
Some changes to the text were eventually made, and the revised legislation substantively addressed the concerns through clarifying open source project exclusions.
Although the new regulation has already been rubber stamped, it won’t come into force until 2027, giving all parties time to meet the requirements and iron out some of the finer details of what’s expected of them. And this is what the seven open source foundations are coming together for now.
Documentation
The manner in which many open source projects evolve has meant that they often have patchy documentation (if any at all) which makes it difficult to support audits, as well as making it difficult for downstream manufacturers and developers to develop their own CRA processes.
Many of the better-resourced open source initiatives already have decent best practice standards in place, relating to things like coordinated vulnerability disclosures and peer review, but each entity might use different methodologies and terminologies. By coming together as one, this should go some way toward treating open source software development as a single “thing” bound by the same standards and processes.
Throw into the mix other proposed regulation, including the Securing Open Source Software Act in the U.S., and it’s clear that the various foundations and “open source stewards” will come under greater scrutiny for their role in the software supply chain.
“While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation,” the Eclipse Foundation wrote in a blog post today. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The new collaboration, while consisting of seven foundations initially, will be spearheaded in Brussels by the Eclipse Foundation, which is home to hundreds of individual open source projects spanning developer tools, frameworks, specifications, and more. Members of the foundation include Huawei, IBM, Microsoft, Red Hat and Oracle.