Except for the desktop, Linux and open-source run the IT world. With great power comes great security responsibilities. While open-source security issues can be overstated, the simple truth is antique, insecure open-source software is everywhere. The Linux Foundation knows this. To address it, the Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have developed a survey for FLOSS contributors.
This builds on top of their “Vulnerabilities in the Core, a preliminary report and Census II of open-source software.” The study laid out a methodology for understanding and addressing open-source software structural and security complexities. Specifically, it also identifies the most commonly used FLOSS components in production applications and examines them for potential vulnerabilities. This new survey’s results will help build up:
A collaborative, pre-emptive approach for strengthening cybersecurity by improving open-source software security. We aim to support, protect, and fortify open software, especially software, critical to the global information infrastructure. We take a holistic view of security; we include security risks in critical projects that are inadequately sustained or vulnerable to supply chain attacks. We intend to use this survey information to help guide this approach.
Why? Because open-source is vital to today’s world. As David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said: “Open-source software is everywhere. Now, more than ever, we need to get a better understanding of it to help make it even more secure.”
In addition, the CII recently pointed out how it’s using its CII Best Practices badge program to encourage developers to secure their programs and to assure their users that the software is secure. Wheeler explained, “A CII Best Practices badge, especially a gold badge, shows that an OSS project has implemented a large number of good practices to keep the project sustainable, counter vulnerabilities from entering their software, and address vulnerabilities when found.”
Here’s how it works: The Core Infrastructure Initiative (CII) Best Practices badge shows a project follows security best practices. The badges let others quickly assess which projects are following best practices and are more likely to produce higher-quality secure software. Over 3,000 projects are taking part in the badging project.
There are three badge levels: Passing, silver, and gold. Each level requires that the OSS project meet a set of criteria; for silver and gold that includes meeting the previous level.
The “passing” level captures what well-run OSS projects typically already do. A passing score requires the programmers to meet 66 criteria in six categories. For example, the passing level requires that the project publicly state how to report vulnerabilities to the project, that tests are added as functionality is added, and that static analysis is used to analyze software for potential problems. As of June 14, 2020, there were 3,195 participating projects, and 443 had earned a passing badge.
The silver and gold level badges are intentionally more demanding. The silver badge is designed to be harder but possible for one-person projects. Here are examples of silver badge requirements (in addition to the passing requirements):
- The project must have FLOSS automated test suite(s) that provide at least 80% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language.
- The project results must check all inputs from potentially untrusted sources to ensure they are valid (a whitelist) and reject invalid inputs if there are any restrictions on the data.
The gold badge adds additional requirements. Gold badge requirements, besides the silver requirements, include:
- The project must have a “bus factor” of two or more. A “bus factor” is the minimum number of project members that must suddenly disappear from a project before it stalls due to a lack of knowledgeable or competent personnel. It comes from the old joke of whether a project can survive if its lead maintainer is hit by a bus.
- The project must have at least 50% of all proposed modifications reviewed before release by a person other than the author.
- The project must have a reproducible build.
- The project website, repository (if accessible via the web), and download site (if separate) must include key hardening headers with nonpermissive values.
Of course, a gold badge doesn’t mean a project’s perfectly secure and there are no bugs in the code. But a CII Best Practices badge, especially a gold badge, shows that a project has implemented numerous practices, which will keep the project sustainable, counter vulnerabilities from entering their software, and address vulnerabilities when found.
You can go to the CII Best Practices badge website to start earning a badge. For more background information on the best practices badge, see the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019.”
Finally, to help set best FLOSS security development practices going forward, take the FOSS Contributor Survey. They plan on closing the survey in early August.