OSPS Baseline: Practical security best practices for open source software projects
The Open Source Security Foundation (OpenSSF), a cross-industry initiative by the Linux Foundation, has announced the initial release of the Open Source Project Security Baseline (OSPS Baseline), a tiered framework of security practices that evolve with the maturity of open source projects.
About the OSPS Baseline
The OSPS Baseline compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security and, in general, should lead to a better security posture for open source software projects.
The outlined practices are related to access control, documentation, governance, build and release, security assessment, vulnerability management, and more. The Baseline groups the controls in three tiers:
- Maturity Level 1: for any code or non-code project with any number of maintainers or users
- Maturity Level 2: for any code project that has at least 2 maintainers and a small number of consistent users
- Maturity Level 3: for any code project that has a large number of consistent users.
By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).
Christopher Robinson, Chief Security Architect at OpenSSF, says that they are confident that the security best practices they laid out are both practical and impactful.
“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts.
“We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project. Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone!”
OpenSSF invites open source developers, maintainers, and organizations to make use of the OSPS Baseline. Through engaging with this initiative, stakeholders can also contribute to refining the framework and promoting widespread adoption of security best practices in the open source community.