On April 24, the Open Source Security Foundation (OpenSSF) hosted a Tech Talk to help open source maintainers, contributors, and organizations better navigate the growing landscape of security standards and regulations.
Titled âHow to Use the OSPS Baseline to Better Navigate Standards and Regulations,â the session explored how the OSPS Baseline can be applied to real-world projectsâoffering practical guidance on enhancing compliance, reducing risk, and building more resilient open source software.
On-demand video is now available.
Why This Matters
Open source projects are now squarely in the spotlight as governments and industry ramp up cybersecurity expectations. Yet, open source maintainersâoften volunteersâare typically left without clear guidance on how to meet these expectations. Enter the Open Source Project Security (OSPS) Baseline: a maintainer-first, practical framework developed under OpenSSF to help projects improve their security posture while aligning with broader regulations like the EU Cyber Resilience Act (CRA).
Understanding the Problem
Emily Fox (Red Hat) kicked things off by tracing the evolution of security standardsâfrom the 1980s to todayâs supply chain attacksâand the challenge of applying these standards to open source. The key takeaway:
âSecurity and compliance language doesnât translate easily to open source development. Weâve done a great job finding vulnerabilitiesâbut not preventing them.â
As regulatory pressure increases (e.g., the CRA), open source is being asked to step upâbut many projects lack the time, resources, or clarity to do so.
Introducing the OSPS Baseline
Ben Cotton (Kusari, Baseline SIG Lead) introduced the OSPS Baseline: a set of security controls designed to be:
- Actionable: Clear “must” controls, no vague “shoulds”
- Realistic: Tailored for projects of all sizes and resourcing levels
- Structured: 3 maturity levels (sandbox â incubating â graduated)
- Mapped: Tied to standards like CRA, SSDF, and OpenSSF Scorecard
âWe wanted something maintainers could realistically adoptâwithout feeling overwhelmed or dictated to.â
The Baseline includes 8 categories of controls, a YAML-based spec for tooling, and is developed openly with community feedback.
Tooling & Implementation
Tooling is already underway to make evaluation easier:
- Projects like Darn and Privateer are automating baseline checks.
- A future reference architecture is planned to ensure tools remain open, modular, and standards-aligned.
How to Get Involved
Megan Knight (Arm, Global Cyber Policy WG Lead) encouraged the community to:
- Explore the Baseline and GitHub repo
- Adopt it in your projects
- Provide feedback via Slack or GitHub
- Contribute via the Awareness, Tooling, or Specifications workstreams
For more information, we encourage you to:Â
- Visit the WG Repository: Global Cyber Policy WG GitHub
- Join Our Slack Channel: #wg-globalcyberpolicy on Slack
- Subscribe to Mailing Lists:
Additional resources mentioned:
- đ LF Research: Unaware & Uncertain
- đ LF Research: Pathways to Best Practices in OSS
- đ Free CRA course: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
Whatâs Next
The panel closed with a reminder: this work is just beginning. The OSPS Baseline welcomes contributors from all backgroundsânot just security experts. Documentation, policy translation, UX, and education are all essential to making open source security more accessible.
And donât forgetâOpenSSF Community Days are coming up in:
- North America â June 26
- Japan â June 18Â
- India â August 4Â
- Europe â August 28 (CFP closes May 26)
Catch us at Community Days and learn more about the OSPS Baseline there!
Missed the talk? Slides and recordings are available. Watch the on-demand video and download the slides here.