Skip to main content

📣 Submit your proposal: OpenSSF Community Day Europe

OpenSSF Tech Talk Recap: Using the OSPS Baseline to Navigate Standards and Regulations

By May 6, 2025Blog
OSPSTechTalkRecap

On April 24, the Open Source Security Foundation (OpenSSF) hosted a Tech Talk to help open source maintainers, contributors, and organizations better navigate the growing landscape of security standards and regulations.

Titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations,” the session explored how the OSPS Baseline can be applied to real-world projects—offering practical guidance on enhancing compliance, reducing risk, and building more resilient open source software.

On-demand video is now available.

Why This Matters

Open source projects are now squarely in the spotlight as governments and industry ramp up cybersecurity expectations. Yet, open source maintainers—often volunteers—are typically left without clear guidance on how to meet these expectations. Enter the Open Source Project Security (OSPS) Baseline: a maintainer-first, practical framework developed under OpenSSF to help projects improve their security posture while aligning with broader regulations like the EU Cyber Resilience Act (CRA).

Understanding the Problem

Emily Fox (Red Hat) kicked things off by tracing the evolution of security standards—from the 1980s to today’s supply chain attacks—and the challenge of applying these standards to open source. The key takeaway:

“Security and compliance language doesn’t translate easily to open source development. We’ve done a great job finding vulnerabilities—but not preventing them.”

As regulatory pressure increases (e.g., the CRA), open source is being asked to step up—but many projects lack the time, resources, or clarity to do so.

Introducing the OSPS Baseline

Ben Cotton (Kusari, Baseline SIG Lead) introduced the OSPS Baseline: a set of security controls designed to be:

  • Actionable: Clear “must” controls, no vague “shoulds”
  • Realistic: Tailored for projects of all sizes and resourcing levels
  • Structured: 3 maturity levels (sandbox → incubating → graduated)
  • Mapped: Tied to standards like CRA, SSDF, and OpenSSF Scorecard

“We wanted something maintainers could realistically adopt—without feeling overwhelmed or dictated to.”

The Baseline includes 8 categories of controls, a YAML-based spec for tooling, and is developed openly with community feedback.

Tooling & Implementation

Tooling is already underway to make evaluation easier:

  • Projects like Darn and Privateer are automating baseline checks.
  • A future reference architecture is planned to ensure tools remain open, modular, and standards-aligned.

How to Get Involved

Megan Knight (Arm, Global Cyber Policy WG Lead) encouraged the community to:

  1. Explore the Baseline and GitHub repo
  2. Adopt it in your projects
  3. Provide feedback via Slack or GitHub
  4. Contribute via the Awareness, Tooling, or Specifications workstreams

For more information, we encourage you to: 

Additional resources mentioned:

What’s Next

The panel closed with a reminder: this work is just beginning. The OSPS Baseline welcomes contributors from all backgrounds—not just security experts. Documentation, policy translation, UX, and education are all essential to making open source security more accessible.

And don’t forget—OpenSSF Community Days are coming up in:

Catch us at Community Days and learn more about the OSPS Baseline there!

Missed the talk? Slides and recordings are available. Watch the on-demand video and download the slides here.