#security
#sbom
BekahHW
4 mins read
Recently, Congressman Maxwell Alejandro Frost and Congressman Don Beyer introduced new legislation called "The Spacecraft Cybersecurity Act" that will require NASA to secure a cybersecurity protection plan from manufacturers applying to use federal dollars to build NASA spacecrafts. This legislation is a response to "thousands of cyberattacks from malicious actors, including state-sponsored threats from China and Russia, [that] have been launched against NASA, threatening the safety of Americans, including astronauts."
"As we enter a new era of cyber threats, establishing a reasonable timeline for NASA to incorporate cybersecurity measures into their acquisition process is more important than ever. The Spacecraft Cybersecurity Act would safeguard NASA's space missions and continue to advance our country's leadership in space exploration that contributes to our economy, security, and understanding of space." -Congressman Frost
This Act requires NASA to finalize a plan within 270 days of the law’s enactment to revise its spacecraft acquisition standards to incorporate important cybersecurity requirements. Recognizing the technical complexities of this task, the bill allows NASA’s experts time to develop this plan.
NASA's recent actions are not occurring in isolation. They're part of a broader trend of increased scrutiny on software supply chains, particularly in government and critical infrastructure sectors. As governments worldwide deal with increasing cyber threats, they're turning their attention to the backbone of modern software - open source. This shift is creating both challenges and opportunities for the open source community.
While NASA's actions have brought immediate attention to the issue of software supply chain security, the European Union's proposed Cyber Resilience Act (CRA) represents a more comprehensive and far-reaching shift in the regulatory landscape. The CRA, first proposed in September 2022, aims to establish "common cybersecurity standards for products with digital elements across the EU."
The CRA doesn't explicitly mandate the use of SBOMs, but its requirements for security measures and transparency align closely with SBOM principles.
An SBOM, or Software Bill of Materials, is a detailed list of the software components and dependencies that make up a software application. It’s like an inventory or a “recipe” that outlines the different parts that have been used to create the software. SBOMs are useful for understanding the software supply chain, tracking vulnerabilities, and ensuring compliance with regulations like the CRA.
In OpenSauced, you can create SBOMS from a Repository Page. This feature allows you to generate a Software Bill of Materials (SBOM) for your open source project, providing a detailed inventory of all the software components and dependencies used in your application. For example, if I create an SBOM for Microsoft/TypeScript, I can see a list of 34 of it's dependencies, making it easier to track and manage the software supply chain.
Implementing comprehensive SBOMs could help organizations as the CRA is enforced by allowing for:
The tightening focus on software supply chain security mark a crossroad for the open source community. This shift isn’t just a challenge — it’s a chance to lead in strengthening the security and transparency of open source projects. We need to find ways to build greater trust with users, understand regulatory demands, and ensure the continued success of our projects.
Generate and review the SBOMs for your projects to see how secure the projects you depend on are. When we understand the software supply chain, we can better prepare for the changing regulations and find ways to improve our projects security.
Bekah graduated from a coding bootcamp in May of 2019 and since then has spent time as a frontend developer, started the Virtual Coffee tech community, spent time in DevRel and has continued to mom her four kids. She currently co-hosts the Compressed.fm and Virtual Coffee podcasts, lifts heavy things in her free time, & works as the Developer Experience Lead at OpenSauced.
Recent Posts
BekahHW
6 mins read
Understand the important role of transparency in open source through the PearAI and Continue.dev case study.
#pizza-cli
BekahHW
6 mins read
Discover the hidden costs of siloed knowledge in developer culture and how embracing shared ownership and tools like the CODEOWNERS file can enhance t...