Organizations have plenty of choices when looking at open source software, but the challenge lies in picking the right project to fit their needs. The CII Best Practices Badge program from the Linux Foundation's Core Infrastructure Initiative is intended to help organizations evaluate open source technologies based on security, quality, and stability.
Businesses increasingly rely on open source software, but they usually don't have a way to tell if developers are following secure coding practices, how they handle vulnerabilities and security updates, or how stable the software is. The CII Best Practices Badge program gives businesses answers to these questions.
"Giving people information about how the code is produced is much more valuable than saying, 'This specific version is secure,'" said Nicko van Someren, CTO of Linux Foundation.
The CII Best Practices Badge program does not designate specific products or software versions as being secure or free of vulnerabilities. Instead, the program asks open source project owners to provide information about how their projects are managed and how the software is being developed. Projects that pass -- are following best practices -- receive a badge to display on GitHub and elsewhere.
Consider the program as open source software's equivalent to a LEED (Leadership in Energy & Environmental Design) certification, said Someren, referring to the certification program that indicates a project is following best practices for green buildings. If a building has LEED designation, that means the builders followed a set of green practices such as water savings, energy efficiency, and indoor environmental quality. Similarly, if an open source project earns a Best Practices Badge that means the developers behind the project meet CII's guidelines for security.
"We aren't focusing on specific versions of the software or products, but on the process being followed to develop the project," Someren said. "The badge indicates the project owners provided us proof that they are following best practices."
Inaugural badge holders include OpenSSL, Curl, GitLab, the Linux kernel, OpenBlox, Node.js, and Zephyr. CII's website has a searchable directory of open source projects that indicates whether they "pass" or "fail" CII best practices. Projects will have to renew their qualifications on an ongoing basis to ensure they continue to receive pass ratings.
Someren said OpenSSL is a good example of how a project can address issues with how it is being managed and improve its model. In 2014, when the Heartbleed vulnerability was disclosed, OpenSSL would have failed to meet more than a third of CII's requirements. Now, OpenSSL's current status is "passing" with no reported security issues.
Open source project owners can sign up for the badging program and learn more about the criteria on the CII Best Practices page.
Organizations that rely on open source software can use the badges to identify projects which follow a security-focused methodology. Developers benefit from taking part in the CII Best Practices Badge program because they can quickly find out if their projects meet open source best practices. And if they fall short of badging requirements, they get feedback on what to fix.
"Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they're always improving," said Someren.
The Linux Foundation backed the Core Infrastructure Initiative in April 2014 after the disclosure of Heartbleed vulnerability in OpenSSL. Many open source projects considered critical to the global infrastructure turned out to not have a lot of dedicated resources necessary to maintain and improve the software. CII provides funds and other types of support for those open source projects.
Like any open source initiative, the badge program needs the developer community to be involved. The program is led by David A. Wheeler, an open source and security research expert with the Institute for Defense Analyses (IDA), and Dan Kohn, a CII senior advisor. Even though the best practices developed by IDA aren't aligned against a specific framework or standard, there was a consensus on what should be included in the set, Someren said. And in cases where things don't quite match up, developers are encouraged to provide input so the program includes the most relevant criteria.
"The list of best practices should reflect what the community thinks," Someren said. "Go to Github and collaborate on the best practices list."
As more and more organizations rely on open source software, there are a lot of concerns about security. Much of the attention thus far has been on static and dynamic analysis – to uncover security vulnerabilities in code – and ensuring that developers use secure third-party libraries and components when writing code. Recently, the Underwriters Laboratories (UL) announced a Cybersecurity Assurance Program to test network-connected products for software vulnerabilities. Its badging program approaches software security from a different angle.
"Everyone is working towards the same goal, but everyone has a different approach," Someren said. "More information is always better."