Introducing the Security Reviews Initiative

By May 5, 2021Blog

Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group

In addition to the Security Metrics initiative, the OpenSSF is proud to announce the Security Reviews initiative. Security Reviews joins a growing list of coordinated efforts spearheaded by the OpenSSF, aimed at securing the open source ecosystem. The initiative’s mission is to collect and curate a useful set of security assessments performed against open source packages. We would like to be a public resource, consumable by anyone under a permissive license, that anyone can contribute to. Through this, the project seeks to provide two important things:

1. An indicator of the security quality of a package

Individual open source projects are often reviewed by organizations to identify security weaknesses and address the health and security posture of upstream components. Sometimes these reviews are published, but more often are not. With access to a collection of security reviews in an open and collaborative environment, more individuals and organizations can remain informed and aware of the posture of the open source software they are using. 

2. Context where vulnerabilities or weaknesses exist

The open source community publishes more than 2,000 new packages on a given day, many of which form the foundation of modern technology. Individuals and organizations alike recognize the security risks associated with such a supply chain. By collecting key data from security reviews and associated work, this initiative provides insight into how much risk the open source space carries. 

Importance of this Initiative

Security reviews, source code audits, and associated work play a critical role in securing the open source ecosystem. A focused and well-scoped review executed by an experienced team has been shown to result in significant and long-lasting improvements. Organizations are increasingly supporting security reviews and recognizing the importance of cross-industry collaboration. The OpenSSF is a perfect example of this cross industry collaboration in action. With over 30 member organizations and counting, as well as multiple working groups and initiatives, the OpenSSF is enabling collaboration to secure the open source ecosystem with the Security Reviews initiative.  

We encourage all members of the security community to contribute security reviews to this project, and look forward to seeing its value and impact increase over time. For more information, please visit github.com/ossf/security-reviews.