By Seth Michael Larson

The Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group (WG) has just released a new guide for maintainers of open source software repositories. The guide details a new security capability named “Trusted Publishers” which utilizes the OpenID Connect standard (OIDC) to authenticate with a package repository without the use of long-lived secrets thus avoiding many related security and operational challenges.

Trusted Publishers: Enhancing Security for Open Source Repositories

The guide details the implementation and design considerations gathered from implementing Trusted Publishers in multiple open source software repositories like the Python Package Index (PyPI) and Rubygems.org.

Implementation and Design Considerations

Trusted Publishers pair well with other security technologies like SLSA build provenance as they are built on the same underlying technology in OIDC. For some identity providers, Trusted Publishers also allow binding verifiable metadata like the source repository URL to a published artifact to avoid social confusion attacks like “Star-Jacking”.

User Adoption and Impact

In addition to added security benefits, Trusted Publishers are popular with users when they’re available. For example, PyPI added support for Trusted Publishers in April of 2023 and has since seen over 14,000 projects voluntarily adopt Trusted Publishers.

Accessing and Contributing to the Guide

You can find the guide hosted on openssf.org and submit contributions on GitHub. Thanks to everyone in the working group who contributed their expertise and reviews during the writing of this guide.

About the OpenSSF Securing Software Repositories Working Group

The OpenSSF Securing Software Repositories Working Group focuses on the maintainers of software repositories, software registries, and tools which rely on them. The working group provides a forum to share experiences and to discuss shared problems, risks, and threats. For more information on the OpenSSF Securing Software Repositories Working Group, see our GitHub Repo.

About the Author

Seth Larson is the Security Developer-in-Residence at the Python Software Foundation, Python Software Foundation Fellow, maintainer of popular Python open source packages like urllib3 and Requests, and an advocate for open source sustainability and security.

By Christopher “CRob” Robinson, Director of Security Communications, Intel Product Assurance and Security, Intel Corporation; and Bennett Pursell, Ecosystem Strategist, OpenSSF

In the ever-evolving landscape of cybersecurity threats, collaboration and information sharing are paramount. Now, more than ever, the open source community needs a centralized platform to exchange threat intelligence efficiently. Introducing Siren, a threat intelligence sharing list hosted by Open Source Security Foundation (OpenSSF), a groundbreaking initiative aimed at fortifying the defenses of open source projects worldwide.

The Need for Collective Defense

It’s estimated that open source software powers up to 90% of modern software, from web servers to mobile applications. However, with its widespread adoption comes increased scrutiny from threat actors seeking to exploit vulnerabilities for their gain. Recent attacks on projects like XZ-Utils and the OpenJS community are stark reminders of the importance of proactive security measures.

While the community has proven methods of communicating vulnerabilities to others within the community, such as the oss-security mailing lists, we do not have a means of communicating information about exploits efficiently with the broader downstream audience. 

While consumers and enterprises may have intelligence sharing structures in place, this does not always extend to the upstream open source community. OpenSSF Siren is an open source resource that fills this gap.

Introducing the OpenSSF Siren

The OpenSSF Siren is a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects. Hosted by the OpenSSF, this platform provides a secure and transparent environment for sharing Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with recent cyber attacks.  Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.

Key features of the OpenSSF Siren include:

• Open Source Threat Intelligence:  shared with the community about actively exploited public vulnerabilities and threats.
• Real-Time Updates: List members receive notifications via email about emerging threats which may be relevant to their projects, enabling swift action to mitigate risks.
• TLP:CLEAR: To facilitate effective unrestricted transparent communication, the list follows the Traffic Light Protocol (TLP), Clear guidelines for the sharing and handling of intelligence.
• Community-driven: Contributors from diverse backgrounds collaborate to enrich the intelligence database, fostering a culture of shared responsibility and collective defense.

Strengthening Open Source Security Together

By leveraging the collective knowledge and expertise of the open source community and other security experts, the OpenSSF Siren empowers projects of all sizes to bolster their cybersecurity defenses and increase their overall awareness of malicious activities. Whether you’re a developer, maintainer, or security enthusiast, your participation is vital in safeguarding the integrity of open source software.

Join us in the fight against cyber threats by becoming a member of the OpenSSF Siren today. Together, we can build a more resilient and secure open source ecosystem for generations to come.

Get Involved

Ready to take action? Here’s how you can contribute:

1. Sign Up: Register for membership on the OpenSSF Siren to start receiving real-time threat intelligence updates.
2. Contribute: Share your insights and experiences to enrich the intelligence database and help protect open source projects worldwide.
3. Spread the Word: Share this initiative with your network and encourage others to join the cause.

Together, let’s make open source software secure for everyone. Join the OpenSSF Siren today and be part of the solution. You also can join the conversation within the OpenSSF’s Vulnerability Disclosure working group to engage with other community security experts that are helping demystify vulnerabilities within our open source ecosystem.