Open Source Community Unites to Build EU CRA-Compliant Cybersecurity Processes
By Dirk-Willem van Gulik, VP of Public Affairs
Cybersecurity is a central topic for governments around the world. The European Union’s Cyber Resilience Act (CRA) introduced rules on how software should be developed, tested, audited and supported to ensure more secure software. Because open source software underpins today’s global digital infrastructure, this has a profound impact on many actors in the open source software ecosystem.
The Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices. The working group is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem, and to demonstrate our commitment to cooperation with and implementation of the CRA.
The group’s initial effort will be to enumerate existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. For years, the foundations and communities have created and maintained industry best practices for secure software development processes. With these best practices as our starting point, we aim to accelerate the development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with the open source community at-large.
Neutrality of foundations, vendors, communities, etc. is central to this effort. The new working group will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.
Read Eclipse’s blog to learn more about specific impacts to open source including the introduction of the Open Source Steward, and my previous blog if you want to go deep on the inner workings of the CRA.
This is a crucial time for the open source community to come together to ensure a more secure future for everyone. We welcome all code-hosting open source foundations, SMEs, industry players, and researchers to join in this collaboration. To stay updated on this initiative, sign up for the working group’s mailing list.