Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] FYI UK Government report on OSS trust - gaps

The Eclipse Trustable Software Framework project appears to overlap with NIST SSDF goals/objective and practices.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: Georg Link <linkgeorg@xxxxxxxxx>
Sent: Thursday, March 13, 2025 3:56 PM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI UK Government report on OSS trust - gaps

 

Hi everyone,

 

> Outside of academic papers, trustworthiness wasn’t mentioned in any of the best practices we reviewed. This is a significant gap in the best practices landscape, as trust plays a vital role in adopting OSS components.

 

Just because the report authors didn't find it, doesn't mean it didn't exist.

 

Eclipse accepted a long-standing project into its ranks this year: https://projects.eclipse.org/proposals/eclipse-trustable-software

 

 

Best,

Georg

 

 

On Wed, Mar 12, 2025 at 9:06AM Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

FYI:

 

A UK Government report on open source software contains some very specific findings and recommendation to establish trustworthiness in open source software:

https://www.securityweek.com/uk-government-report-calls-for-stronger-open-source-supply-chain-security-practices/

 

4.1.3 Trust in Open-Source Software

Trust in OSS is a critical concept when adopting OSS components. How does one

come to trust an OSS component? More often than not, “there is no sound basis

for trust in the Software Ecosystems (SECO) hubs”, with trust being considered

“founded or unfounded” (Hou et al., 2022).

 

Outside of academic papers, trustworthiness wasn’t mentioned in any of the best

practices we reviewed.

 

This is a significant gap in the best practices landscape, as trust plays a vital role

in adopting OSS components.

 

This is precisely why a SCITT Trust Registry is essential, to serve as a trust anchor for trustworthy software products with specific cybersecurity labels providing justification for a “trust score” in the registry, which the buying public can query before buying a product.

 

The US Coast Guard is planning to implement a “Trust Registry” of approved products, which limits which products can be installed in IT and OT systems used by the US Coast Guard:

https://www.federalregister.gov/d/2025-00708/p-1047

 

I’m doing a presentation to the US NASA and the US Department of Energy (DOE) on March 21 on this very topic of SCITT Trust Registries to identify trustworthy products that have passed a risk assessment and may be installed in IT and OT systems.

Trustworthiness of a product will be based on NIST SCRM best practices contained in CISA’s Secure Software Acquisition Guide, https://cisa.gov/sag

 

Am happy to share my March 21 slides with any that request them.

 

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.™

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org



--

Georg Link, PhD

(he/him)

TZ: US Central Time: US/Chicago

Back to the top