Free badge program helps determine the security of open source software
The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that aims to improve the security of critical open source projects, issued its first round of CII Best Practices Badges. Early badge earners include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr.
This is a free program that seeks to determine security, quality and stability of open source software. The CII Best Practices online app enables developers to quickly determine whether they are following best practices and to receive a badge they can display on GitHub and other online properties when they pass.
The app and its criteria are an open source project to which developers can contribute.
The latest round of badges includes an assessment of OpenSSL, the open source software responsible for most encryption on the Internet, both before the Heartbleed vulnerability and after it received support from CII. Prior to Heartbleed, OpenSSL failed to meet more than one-third of the CII Best Practices Badge criteria. Today it meets 100 percent. This helps demonstrate how far OpenSSL has come with the support of the industry and how the CII Best Practices Badges can signal failing or passing scores.
“Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they’re always improving,” said Nicko van Sommeren, CTO at The Linux Foundation.
Determining the security of software is an industry-wide challenge for both proprietary and open source software. As the role of open source software has increased in supporting the world’s most critical infrastructure it has become essential to both understand the best practices for security, quality and stability of this code and to be able to validate that criteria.
The CII Best Practices Badge program addresses this challenge by helping projects determine if they meet open source best practices quickly (generally, in under an hour) and through a trusted source. The program is an open source project designed in collaboration with the community and seeks ongoing input to ensure the most relevant criteria for the badge is included and continually updated.
The project is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII. Wheeler and Kohn are working with open source developers to make the certification process seamless and automated and welcome input and pull requests.