By Luigi Gubello, Pitch and Michael Scovetta, Microsoft
This month’s spotlight is on the OpenSSF Identifying Security Threats Working Group, which recently released the first version of the Security Insights Specification. This Working Group is dedicated to equipping the community with tools and documents for assessing the health of open source projects using metrics and other supporting evidence.
The Working Group started three years ago by releasing the first version of the paper “Threats, Risks, and Mitigations in the Open Source Ecosystem” to help open source maintainers and contributors identify threats in the development cycles of a project and evaluate risks in the open source ecosystem. Keeping in mind this purpose, the Working Group has continued to work on projects that could help open source consumers to better evaluate the health of open source projects.
Highlights of the Past Few Months
In the last months, the group has been focused on the following projects:
- Security Insights provides a way for OSS maintainers to express information regarding security posture and practices in place in the project in both human-readable and machine-readable format (YAML). In October 2023, we announced Release v.1.0.0 of the Security Insights Specification.
- The document “Threats, Risks, and Mitigations in the Open Source Ecosystem” establishes a common understanding of the security risk landscape for the open source ecosystem. In 2023, we have worked to release an update, and we are almost ready to publish version 1.2.
New and Upcoming Initiatives
Security Insights specification v.1.1.0: We are working to release the next update for the specification Security Insights by following the collected feedback from the OpenSSF and open-source community. We are also working on defining a public roadmap.
Risk Dashboard: The Working Group is almost ready to launch a demo for the Risk Dashboard, an online dashboard to aggregate insights and metrics about the health of open-source projects. The Risk Dashboard provides relevant metrics so consumers of open source can understand their risk, by aggregating data from OpenSSF Scorecard, OpenSSF Best Practices badge, contribution data, vulnerability data, and other sources.
Threats and Risks in the Open Source Ecosystem: We released the first version of our paper “Threats, Risks, and Mitigations in the Open Source Ecosystem” in 2020, to document high-level threats, security risks, and potential mitigations associated with the open source ecosystem. In 2023, OpenSSF has nine Working Groups, which have identified additional threats, risks, and mitigationsin their working areas. We would like to collaborate with other Working Groups to release community-oriented documentation that can cover all the threats and risks identified by OpenSSF WGs.
Everyone is welcome, and we appreciate contributions, questions, feedback, and help because they assist us in improving our work. 🌸 Don’t be afraid if you don’t work in the info security field; we genuinely value contributions from individuals with diverse backgrounds 🦄.
We meet every other week on Wednesdays, and see the OpenSSF Community Calendar for more information.
You can also find us in the OpenSSF Community Slack: #wg_identifying_security_threats and #security_insights. And on GitHub: ossf/wg-identifying-security-threats. For our WG Code of Conduct, see the OpenSSF Code of Conduct.
About the Authors
Luigi works at Pitch as a security engineer, and at OpenSSF he co-leads the Identifying Security Threats working group, which helps to identify threats to the open source ecosystem and to recommend mitigations and good practices.
Michael co-leads the Identifying Security Threats working group and the Alpha-Omega project. At Microsoft, he leads a security team that helps engineering teams understand and mitigate supply chain security risk.