The Linux Foundation’s Core Infrastructure Initiative (CII), a project that aims to bring technology companies together with the goal of identifying and funding critical open source projects, announced on Tuesday that it’s developing a new security-focused badge program.
The CII has asked the open source community to provide feedback on a set of criteria that will be used to determine the security, stability and quality of open source software (OSS). As part of this program, OSS projects that follow best practices will get a badge.
The initiators of the project believe that this will not only encourage developers to follow best practices, but it will also inform users on which projects are committed to security and quality.
The current criteria for best practices includes project basics (a website, licensing information, and documentation), change control (a public version-controlled source repository, a changelog, and a bug reporting process), and quality assurance (working build system, automated test suite).
As far as security is concerned, the current criteria includes protection against man-in-the-middle (MitM) attacks, a vulnerability reporting process, a vulnerability response process, and a patch development process. Developers must also use at least one static and one dynamic analysis tool to look for vulnerabilities and other defects in the source code.
“We are currently focused on identifying basic best practices that well-run OSS projects typically already follow. We are capturing other practices so that we can create more,” the initiators of the badge project said.
The CII admits that even OSS projects that follow best practices can have security flaws and other bugs, but the initiative believes they are in a better position to prevent, detect and address them.
OSS projects that follow best practices can receive a badge after conducting a self-assessment. In some cases, the evaluations will be conducted automatically by a tool.
“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, senior director of infrastructure security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”
The CII was established in 2014 in response to the critical OpenSSL vulnerability known as Heartbleed. The first projects to receive support were OpenSSL, NTP and OpenSSH. In June, the CII announced financial support of nearly half a million dollars for a new open source automated testing project, Debian’s Reproducible Builds initiative, and Hanno Böck’s Fuzzing Project.