The Linux Foundation’s Open Source Security Foundation (OpenSSF) on Tuesday announced the initial release of a project designed to establish minimum security requirements for open source software.
Named Open Source Project Security Baseline, or OSPS Baseline, the initiative aims to enhance the security of open source projects by providing guidance on implementing a minimum set of best practices aimed at reducing the risk of vulnerabilities and improving a project’s trustworthiness.
The OSPS Baseline is a security checklist that is based on guidance from OpenSSF and other groups. It outlines tasks, artifacts, processes and configurations, and it has been described by its developers as a tiered framework that grows alongside a project.
The baseline can help developers understand others’ expectations in terms of security. It can also be useful for marketing purposes — users are more likely to adopt a project that takes security seriously.
Unless required by a sponsor to meet a specific baseline level, all projects are encouraged to achieve at least level 1 requirements, which establish what OSSF describes as a “universal security floor” for open source projects.
Projects that have a large number of regular users are advised to adhere to level 3, which is the top tier.
Level 1 includes the use of MFA, requirements related to whom and how they can contribute to a project, release and licensing requirements, as well as issues related to version control and project documentation.
Level 3 focuses more on privilege management, releases and project documentation, and testing.
“The Open Source Project Security Baseline is a vital tool for enhancing the security of open source projects,” said Per Beming, chief standardization officer at Ericsson. “By offering a comprehensive set of actionable measures, the Security Baseline provides effective guidance for all stakeholders in the open source ecosystem – manufacturers, stewards, and projects alike – to collaboratively assume responsibility and take meaningful steps to secure the open source supply chain on which we all rely.”
The OSPS Baseline is maintained by a special interest group, but all stakeholders are encouraged to contribute to refining the framework, as well as to promote its use.
Related: Cyber Insights 2025: Open Source and Software Supply Chain Security
Related: Google Open Sources Security Patch Validation Tool for Android
Related: Google Releases Open Source Library for Software Composition Analysis
