A Project to Guarantee Better Security for Open-Source Projects
With many open-source projects built on top of others, a security weakness in a common piece of infrastructure can have far-reaching consequences. As OpenSSL's Heartbleed security hole demonstrated, these vulnerabilities can appear in even the most trusted packages.
Open-source developers, however, can take steps to help catch these vulnerabilities before software is released. Secure development practices can catch many issues before they become full-blown problems. But, how can you tell which open-source projects are following these practices? The Core Infrastructure Initiative has launched a new "Best Practice Badge Program" this week to provide a solution by awarding digital badges to open-source projects that are developed using secure development practices.
The Core Infrastructure Initiative is a non-profit project set up by the Linux Foundation. It organizes funding for vital open-source projects. The Initiative has the financial support of many large enterprises who rely on these open-source projects, including Amazon, Google, IBM and Cisco.
The Initiative focuses its attention on projects that form the backbone of different software stacks and are widely used. The OpenSSL project is a clear example. This software is used in many different operating systems and Web applications, so the potential fallout from any security flaws is vast.
Although it's just over a year old, it already is making a big difference to these essential packages. By funding essential security audits and development work, the Initiative has eliminated a large number of bugs and exploitable errors.
The badge program is the latest of the group's initiatives, which include:
- A broad census to help identify the projects that most need assistance.
- Tooling to develop tools that open-source projects can use to improve their development processes.
The badge program is only for genuine open-source projects, which means that applications are accepted only for software that is published with a suitable open-source license. To receive the badge, teams must implement the best practices and submit a questionnaire. They also run a simple utility against their project's repository, which performs a number of automated checks.
Required secure development practices include:
- Publicly accessible version-controlled source code repository.
- A bug reporting process.
- Correct versioning per the Semantic Versioning format.
- A changelog users can use to decide whether they should update.
- A working build system.
- A full test suite to detect regressions when changes are made to the codebase.
- The project must be secured against "man in the middle" attacks.
- A static analysis tool must be used to detect vulnerabilities and other defects.
- A dynamic analysis tool also should be used to detect vulnerabilities.
- There must be a process for reporting security vulnerabilities.
- All publicly known vulnerabilities must be patched within 60 days of discovery.
It's still the early days for the badge program, and the Initiative is open to suggestions for additional best practice requirements from the community.