The new report “Pathways to Cybersecurity Best Practices in Open Source” by the Linux Foundation Research promotes a better understanding of the CRA and helps to alleviate prevalent worries and uncertainties in open source communities. It combines an analysis of the CRA text, a review of the cybersecurity practices of key open source projects, qualitative insights from interviews with project stakeholders from three Linux Foundation hosted projects, and takeaways from workshops and stakeholder engagements.
The report captures how current practices align with the CRA requirements for stewards. It shows where potential gaps exist. It also highlights where these critical projects go beyond the CRA baseline to push cybersecurity further than required by the new regulation.
The three widely used open source projects featured are the Civil Infrastructure Platform (CIP), the Yocto Project, and the Zephyr Project. Each demonstrates advanced security practices that substantially align with CRA requirements.
The Zephyr Project, in particular, implements several advanced cybersecurity practices that extend beyond CRA requirements. Zephyr maintains robust security oversight as a CVE Numbering Authority with an established Product Security Incident Response Team (PSIRT). It enables effortless generation of build-specific SBOMs in SPDX format and actively monitors direct reports with typical response times of one to two days for security-related requests. Zephyr’s status as a CVE Numbering Authority facilitates direct communication with PSIRT authorities for vulnerability notifications.
With the Cyber Resilience Act (CRA) officially published as Regulation (EU) 2024/2847 and entering into force on December 10, 2024, the countdown is on for organizations to understand and prepare for its full application by December 11, 2027. The CRA introduces broad obligations for products with digital elements, aiming to reduce cybersecurity risks and increase trust in the European digital market.
To help organizations prepare, LF Education and the Open Source Security Foundation (OpenSSF) launched a free training course: “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)” – now available online.
This course covers the key requirements of the EU’s Cyber Resilience Act (CRA), including terms, roles, obligations, essential cybersecurity requirements, product markings, compliance processes, and penalties for non-compliance. It prepares decision-makers, software developers, OSS developers, and OSS stewards to navigate CRA compliance, mitigate risks, and meet regulatory standards. Enroll in the free course!
This report “Pathways to Cybersecurity Best Practices in Open Source” provides a number of recommendations regarding what actions other open source projects and stakeholders can take, and which priority areas to focus on. Through greater collective understanding and collaboration, there is not only a pathway to achieving CRA compliance but also an unprecedented opportunity to strengthen the resilience, sustainability, and security of open source software.
To keep up to date about the project, subscribe to the Zephyr quarterly newsletter or connect with us on @ZephyrIoT, Zephyr Project LinkedIn or the Zephyr Discord Channel to talk with community and TSC members.