The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share all of the work that is happening. In case you missed our recent Town Hall meeting, the resources can be found here.Â
Working Group Progress
Our working groups are where the work gets done, and contributors from across the industry have made important progress in recent months.Â
Identifying Security Threats: New Security Metrics Initiative Unveiled
This group has been working on the Security Metrics and are thrilled to unveil this as OpenSSF’s latest initiative! This initiative is used to collect, curate and communicate relevant security metrics for open source projects. This can be used, for example, to aid selection of open source software (OSS).
- Includes data for 105k projects, with metrics coming from:
- Scorecard
- Criticality Score
- Best Practices Badge Program
- Security Reviews (see below)
- Grafana-based dashboard
- Simple JSON API
For more information about the work, please visit https://metrics.openssf.org.
And to get a deep dive from the working group lead, check out this blog post, Introducing the Security Metrics Initiative, by Michael Scovetta.
This group has also released the Security Reviews repository on GitHub! This repository contains a collection of security reviews of open source software. It is a public resource that anyone can contribute to and is consumable by anyone under a permissive license.
- Curated, community-driven collection of security reviews of open source projects.
- Provides both positive and negative indicators of security quality.
- Can reference existing reviews already completed by third parties.
- Does your organization perform security reviews of open source projects? Please consider contributing to this project.
- Progress so far:
- Linux Kernel (via Open Source Technology Improvement Fund (OSTIF))
- Zlib (via Trail of Bits and TrustInSoft)
- NPM (five packages)
- Dependency Confusion Attacks
For more information, please visit: github.com/ossf/security-reviews
Best Practices
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers. Its latest work includes:
- CII Best Practices badge
- New tool released to simplify automated update of project data
- Began Swahili translation, in addition to English, Chinese (Simplified), Spanish, French, German, Japanese, Brazilian Portuguese, and Russian
- Added new “Project is maintained” criterion (was always implied, now stated)
- Many technical updates (Rails 6.1, Ruby 3.0.1, various libraries)
- Secure Software Development Fundamentals (edX course)
- Course content now available in Markdown format under CC-BY license
- Markdown format enables others to more easily build on the educational materials
Vulnerability Disclosures
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Its latest work includes:Â
- Releasing Vuln disclosure Pain Points
- Vuln disclosure whitepaper for OSS projectsÂ
- Guidance on Vuln Mgmt process for OSS projects
In Case You Missed the Initiatives from Last Quarter
Security Tooling
This working group focuses on identifying and building universally accessible, developer-focused tooling to help the open source community secure their code. It has also begun to develop some guidance on security tools.
OWASP ZAP now freely available on GitHub Actions Marketplace
Securing Critical Projects
This working group focuses on understanding which open source software projects are the most critical so that security work can be prioritized accordingly.
- package-feeds – feed parsing for language package manager updates
- package-analysis – analyzes open source packages for malicious software
About the OpenSSF
The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come.Â
For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.