The EU Cyber Resilience Act's impact on open source security

The EU Cyber Resilience Act's impact on open source security From communal effort to legal mandate A cultural faux pas: Misunderstanding shared responsibility A call for collective responsibility Red Hat Product Security About the authors Emily Fox Roman Zhukov More like this Blog post Blog post Original podcast Original podcast Keep exploring Browse by channel Automation Artificial intelligence Open hybrid cloud Security Edge computing Infrastructure Applications Virtualization Share The world runs on open source. From the applications you use daily to the critical infrastructure powering our society, open source software is ubiquitous. However, this widespread adoption has brought with it an escalating need for robust security, a reality starkly highlighted by incidents like SolarWinds and the more recent XZ Utils vulnerability. While the open source community often demonstrates remarkable resilience and collaboration in addressing threats, a significant shift in responsibility is now underway, driven in part by legislation, such as the EU's Cyber Resilience Act (CRA). For decades, open source security was a communal effort, relying on the goodwill and expertise of contributors. As commercial entities increasingly integrate open source into their products, they've often overlooked security at the source (i. e. upstream), instead opting to bolt on fixes only at product release. Despite security engineers tirelessly advocating for practices like supply chain security, widespread adoption has been limited due to this afterthought mindset. Many organizations who are comfortable with their long-standing practices of consuming open source software have resisted re-evaluating their approach, operating under the dangerous and flawed assumption that since it worked fine for years and someone else always took care of it, there's no need to change. This mindset ignores a fundamental truth: security isn't about avoiding compromise, but about making it as difficult as possible for attackers when they inevitably strike. Now the CRA has arrived , aiming to address these very issues from a top-down perspective.