All Posts By

Carly Driggers

Introducing the Security Reviews Initiative

By Blog

Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group

In addition to the Security Metrics initiative, the OpenSSF is proud to announce the Security Reviews initiative. Security Reviews joins a growing list of coordinated efforts spearheaded by the OpenSSF, aimed at securing the open source ecosystem. The initiative’s mission is to collect and curate a useful set of security assessments performed against open source packages. We would like to be a public resource, consumable by anyone under a permissive license, that anyone can contribute to. Through this, the project seeks to provide two important things:

1. An indicator of the security quality of a package

Individual open source projects are often reviewed by organizations to identify security weaknesses and address the health and security posture of upstream components. Sometimes these reviews are published, but more often are not. With access to a collection of security reviews in an open and collaborative environment, more individuals and organizations can remain informed and aware of the posture of the open source software they are using. 

2. Context where vulnerabilities or weaknesses exist

The open source community publishes more than 2,000 new packages on a given day, many of which form the foundation of modern technology. Individuals and organizations alike recognize the security risks associated with such a supply chain. By collecting key data from security reviews and associated work, this initiative provides insight into how much risk the open source space carries. 

Importance of this Initiative

Security reviews, source code audits, and associated work play a critical role in securing the open source ecosystem. A focused and well-scoped review executed by an experienced team has been shown to result in significant and long-lasting improvements. Organizations are increasingly supporting security reviews and recognizing the importance of cross-industry collaboration. The OpenSSF is a perfect example of this cross industry collaboration in action. With over 30 member organizations and counting, as well as multiple working groups and initiatives, the OpenSSF is enabling collaboration to secure the open source ecosystem with the Security Reviews initiative.  

We encourage all members of the security community to contribute security reviews to this project, and look forward to seeing its value and impact increase over time. For more information, please visit github.com/ossf/security-reviews.

May 2021 Update: OpenSSF Unveils New Security Initiative

By Blog

The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share all of the work that is happening. In case you missed our recent Town Hall meeting, the resources can be found here

Working Group Progress

Our working groups are where the work gets done, and contributors from across the industry have made important progress in recent months. 

Identifying Security Threats: New Security Metrics Initiative Unveiled
This group has been working on the Security Metrics and are thrilled to unveil this as OpenSSF’s latest initiative! This initiative is used to collect, curate and communicate relevant security metrics for open source projects. This can be used, for example, to aid selection of open source software (OSS).

  • Includes data for 105k projects, with metrics coming from:
    • Scorecard
    • Criticality Score
    • Best Practices Badge Program
    • Security Reviews (see below)
  • Grafana-based dashboard
  • Simple JSON API

For more information about the work, please visit https://metrics.openssf.org.

And to get a deep dive from the working group lead, check out this blog post, Introducing the Security Metrics Initiative, by Michael Scovetta.

This group has also released the Security Reviews repository on GitHub! This repository contains a collection of security reviews of open source software. It is a public resource that anyone can contribute to and is consumable by anyone under a permissive license.

  • Curated, community-driven collection of security reviews of open source projects.
  • Provides both positive and negative indicators of security quality.
  • Can reference existing reviews already completed by third parties.
  • Does your organization perform security reviews of open source projects? Please consider contributing to this project.
  • Progress so far:
    • Linux Kernel (via Open Source Technology Improvement Fund (OSTIF))
    • Zlib (via Trail of Bits and TrustInSoft)
    • NPM (five packages)
    • Dependency Confusion Attacks

For more information, please visit: github.com/ossf/security-reviews

Best Practices
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers. Its latest work includes:

  • CII Best Practices badge
    • New tool released to simplify automated update of project data
    • Began Swahili translation, in addition to English, Chinese (Simplified), Spanish, French, German, Japanese, Brazilian Portuguese, and Russian
    • Added new “Project is maintained” criterion (was always implied, now stated)
    • Many technical updates (Rails 6.1, Ruby 3.0.1, various libraries)
  • Secure Software Development Fundamentals (edX course)
    • Course content now available in Markdown format under CC-BY license
    • Markdown format enables others to more easily build on the educational materials

Vulnerability Disclosures
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Its latest work includes: 

In Case You Missed the Initiatives from Last Quarter

Security Tooling
This working group focuses on identifying and building universally accessible, developer-focused tooling to help the open source community secure their code. It has also begun to develop some guidance on security tools.

OWASP ZAP now freely available on GitHub Actions Marketplace

Securing Critical Projects
This working group focuses on understanding which open source software projects are the most critical so that security work can be prioritized accordingly.

About the OpenSSF

The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. 

For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.

Introducing the Security Metrics Initiative

By Blog

Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group

The OpenSSF would like to announce the initial release of the Security Metrics initiative. The primary objective of this initiative is to provide valuable decisive information about threats and risks associated with open source projects. Security Metrics comes with a cognitive dashboard for stakeholders to make reliable informed decisions regarding using/accommodating such projects in their software supply chain.

How Does It Work?

Security Metrics does crucial security oriented data collection from informed sources such as:

  • Scorecard – measures the security posture of open source projects
  • Criticality Score – determines the influence and importance of open source projects
  • Best Practices Badge – communicates how well security best practices are followed
  • Security Reviews – displays security assessments performed by researchers

Example

Here is an example of the information shown after a search for the Kubernetes project. While no single metric can fully describe the security risks of using a piece of software, we believe that having multiple metrics accessible from a central location can be helpful in making informed decisions.

Dashboard generated for the Kubernetes project

Where Are We Now?

Our initial “early alpha” release includes data collected on over 100,000 projects, accessible through a dashboard as well as a simple API. Over the next few months, we plan to release additional features (such as new metrics and richer API access), increase the number of projects covered, and improve the overall user experience.

You can access the Security Metrics at https://metrics.openssf.org. Your feedback is most welcome, and if you’re interested in learning more or joining this effort, please reach out to Michael Scovetta or join us at our next working group meeting.

Upcoming OpenSSF Town Hall on May 3, 2021

By Blog

The OpenSSF community has been working diligently to improve the security of the open source ecosystem. We would like to share all of the great work that is happening and invite you to participate.

We hope to see you at our next OpenSSF Town Hall Meeting on Monday, May 3, from 10:00 AM to 11:00 AM PDT. This event is open to the public; please help us spread the word by sharing with your social networks! Click here to register.