Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Core Infrastructure Initiative Creates Security Badge Program

The Linux Foundation’s Core Infrastructure Initiative (CII), a project that aims to bring technology companies together with the goal of identifying and funding critical open source projects, announced on Tuesday that it’s developing a new security-focused badge program.

The Linux Foundation’s Core Infrastructure Initiative (CII), a project that aims to bring technology companies together with the goal of identifying and funding critical open source projects, announced on Tuesday that it’s developing a new security-focused badge program.

The CII has asked the open source community to provide feedback on a set of criteria that will be used to determine the security, stability and quality of open source software (OSS). As part of this program, OSS projects that follow best practices will get a badge.Core Infrastructure Initiative

The initiators of the project believe that this will not only encourage developers to follow best practices, but it will also inform users on which projects are committed to security and quality.

The current criteria for best practices includes project basics (a website, licensing information, and documentation), change control (a public version-controlled source repository, a changelog, and a bug reporting process), and quality assurance (working build system, automated test suite).

As far as security is concerned, the current criteria includes protection against man-in-the-middle (MitM) attacks, a vulnerability reporting process, a vulnerability response process, and a patch development process. Developers must also use at least one static and one dynamic analysis tool to look for vulnerabilities and other defects in the source code.

“We are currently focused on identifying basic best practices that well-run OSS projects typically already follow. We are capturing other practices so that we can create more,” the initiators of the badge project said.

The CII admits that even OSS projects that follow best practices can have security flaws and other bugs, but the initiative believes they are in a better position to prevent, detect and address them.

OSS projects that follow best practices can receive a badge after conducting a self-assessment. In some cases, the evaluations will be conducted automatically by a tool.

“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, senior director of infrastructure security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”

The CII was established in 2014 in response to the critical OpenSSL vulnerability known as Heartbleed. The first projects to receive support were OpenSSL, NTP and OpenSSH. In June, the CII announced financial support of nearly half a million dollars for a new open source automated testing project, Debian’s Reproducible Builds initiative, and Hanno Böck’s Fuzzing Project.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...