Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Core Infrastructure Initiative Creates Security Badge Program

The Linux Foundation’s Core Infrastructure Initiative (CII), a project that aims to bring technology companies together with the goal of identifying and funding critical open source projects, announced on Tuesday that it’s developing a new security-focused badge program.

The Linux Foundation’s Core Infrastructure Initiative (CII), a project that aims to bring technology companies together with the goal of identifying and funding critical open source projects, announced on Tuesday that it’s developing a new security-focused badge program.

The CII has asked the open source community to provide feedback on a set of criteria that will be used to determine the security, stability and quality of open source software (OSS). As part of this program, OSS projects that follow best practices will get a badge.Core Infrastructure Initiative

The initiators of the project believe that this will not only encourage developers to follow best practices, but it will also inform users on which projects are committed to security and quality.

The current criteria for best practices includes project basics (a website, licensing information, and documentation), change control (a public version-controlled source repository, a changelog, and a bug reporting process), and quality assurance (working build system, automated test suite).

As far as security is concerned, the current criteria includes protection against man-in-the-middle (MitM) attacks, a vulnerability reporting process, a vulnerability response process, and a patch development process. Developers must also use at least one static and one dynamic analysis tool to look for vulnerabilities and other defects in the source code.

“We are currently focused on identifying basic best practices that well-run OSS projects typically already follow. We are capturing other practices so that we can create more,” the initiators of the badge project said.

The CII admits that even OSS projects that follow best practices can have security flaws and other bugs, but the initiative believes they are in a better position to prevent, detect and address them.

OSS projects that follow best practices can receive a badge after conducting a self-assessment. In some cases, the evaluations will be conducted automatically by a tool.

“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, senior director of infrastructure security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”

Advertisement. Scroll to continue reading.

The CII was established in 2014 in response to the critical OpenSSL vulnerability known as Heartbleed. The first projects to receive support were OpenSSL, NTP and OpenSSH. In June, the CII announced financial support of nearly half a million dollars for a new open source automated testing project, Debian’s Reproducible Builds initiative, and Hanno Böck’s Fuzzing Project.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...