Evaluating the security of open source software

The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software.

The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII.

Virtually every industry and business leverages open source, and is therefore more interconnected and dependent on it than ever before. Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem.

The self-assessment, and the badges that will follow, are designed to be a simple, fairly basic way for projects to showcase their commitment to security and quality. The criteria is also meant to encourage open source software (OSS) projects to take positive steps with both in mind and to help users know which projects are taking these positive steps.

Established in 2014 in response to the Heartbleed vulnerability, CII is a multi-million dollar project that funds and supports critical elements of the global information infrastructure. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices.

“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”

Projects that follow best practices can still have vulnerabilities, other bugs, and other kinds of problems, but they should be a better position to prevent, detect and fix them. For example, many practices suggest a multi-person review, which can help find otherwise hard-to-find vulnerabilities. Currently the criteria include general best practices combined with questions specific to security. The questionnaire asks if a project includes an OSS license; a public version-controlled source repository; a general mailing list; an automated regression test suite; and at least one static analysis tool applied to source code to look for vulnerabilities.