Seven open source institutions come together to create common specifications and standards for the European Cyber Resilience Act (CRA), a regulation approved by the European Parliament last month.
The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software FoundationPHP Foundation, Python Software Foundationand Rust Foundation reveal them intentions to gather their collective resources and connect the dots between existing security best practices in open source software development — and ensure that the much-maligned software supply chain is up to the task when the new legislation takes effect in three years.
Ingredient
It is estimated that between 70% and 90% Software today consists of open source components, many of which are developed for free by developers on their own time and on their own dime.
The Cyber Resilience Act was first introduced in draft form almost two years ago, with the aim of codifying cyber security best practices for both hardware and software products sold across the European Union. It is designed to compel all manufacturers of any Internet-connected product to stay up-to-date with all the latest patches and security updates, with penalties for omissions.
These non-compliance penalties include fines of up to €15 million, or 2.5% of global turnover.
The legislation in its original form drew sharp criticism from many third-party bodies, including more than a dozen open-source industry bodies that wrote an open letter last year saying the law could have a “chilling effect” on software development. The gist of the complaints focused on how “upstream” open source developers could be held responsible for security flaws in later products, thus preventing volunteer project maintainers from working on critical components for fear of legal retribution (this is similar with concerns abounding around the EU’s Artificial Intelligence Act, which was given the go-ahead last month).
The wording in the CRA did provide some protections for the open source field, insofar as developers who were not commercializing their work were technically exempt. However, the language was open to interpretation as to what exactly falls under the banner of “commercial activity” — would, for example, sponsorships, grants and other forms of financial assistance count?
Eventually some changes were made to the text and the revised legislation effectively addressed the concerns through clarifying open source project exemptions, and carves out a specific role for what it calls “open source managers,” which includes non-profit institutions.
“Overall, we’re happy with the outcome… the process worked and the open source community was heard,” Eclipse Foundation Executive Director Mike Milinkovich told TechCrunch. “One of the more interesting aspects of the finale regulation is that it recognizes “open source software operators” as a form of economic agent who are part of the overall software supply
chain. This is the first bill in the world to recognize the role played by foundations and other forms of community trustees.”
Although the new regulation has already been sealed, it will not come into force until 2027, giving all parties time to meet the requirements and clarify some of the details of what is expected of them. And that’s what the seven open source foundations bring together for now.
“There is a tremendous amount of work that will need to be done over the next three years in order to implement the CRA,” Milinkovic said. “Please note that the CRA is the first law anywhere in the world to regulate the software industry as a whole. The implications of this go far beyond the open source community and will impact startups and small businesses as well as global industry players.”
Documentation
The way many open source projects evolve means that they often have fragmentary documentation (if any), which makes it difficult to support audits and makes it difficult for downstream developers and developers to develop their own CRA processes.
Many of the better-resourced open source initiatives already have decent best practice standards, related to things like coordinated vulnerability disclosures and peer review, but each entity may use different methodologies and terminologies. Combined as one, this should help treat open source software development as a single “thing” bound by the same standards and processes.
Throw into the mix other proposed regulations, including the Secure Open Source Software Act in the US, and it’s clear that various institutions and “open source managers” will come under greater scrutiny for their role in the software supply chain.
“While open source communities and institutions generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation,” The Eclipse Foundation he wrote in a blog post today. “The open source community and the wider software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.”
The new collaboration, while initially consisting of seven institutions, will be led in Brussels by the Eclipse Foundation, which hosts hundreds of individual open source projects spanning developer tools, frameworks, specifications, and more. Foundation members include Huawei, IBM, Microsoft, Red Hat and Oracle.
