The Linux Foundation’s Core Infrastructure Initiative (CII) has launched a new security-focused badge program to improve the quality and stability of open-source software security.
Open-source software provides the backbone for many of the online services we use today. However, with popularity comes a price — most often the attention of hackers looking for weak points and breaks in software security to exploit. Without a dedicated team of security professionals on board, it is a complicated, difficult and often expensive process to patch up problems before vulnerabilities weaken online services — and their users — which rely on open-source software.
Announced on Wednesday at LinuxCon, the CII — a consortium of companies and developers which fund open-source projects in need of critical assistance — said the newBadge Program is a “secure open-source development maturity model” designed to give developers a useful criteria to base their security priorities upon.
Spearheaded by Institute for Defense Analyses (IDA) security researcher David Wheeler, thefirst draft of the criteria includes a self-assessment exploring development practices — such as licenses and user engagement — and whether or not change controls and automated test suites are used.
The badge system has a focus on security and asks questions including which security project delivery methods are used, and whether or not dynamic and static analysis comes into play.
The CII says the security badge is “meant to encourage open-source software projects to take positive steps with both in mind [security and quality] and to help users know which projects are taking these positive steps.”
“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation.
“A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”
In addition, the CII has added two new advisory members to the board. Adam Shostack, already a member of the BlackHat Review Board, will be joining the group, as well as Tom Ritter, Practice Director of Cryptography Services, part of NCC Group.