The Core Infrastructure Initiative (CII), a consortium of technology companies guided by The Linux Foundation, has thrown good money at solving the security woes of open source software. Since its inception last year, it has provided funding for the OpenSSL project allowing it to hire full-time help and audit and clean its codebase. It has also helped support the Open Crypto Audit Project (OCAP) which was behind the TrueCrypt audit, as well as GnuPG, Frama-C, and the Fuzzing Project.
In addition to funding specific projects, CII sponsors initiatives that preempt security trouble. Its latest venture, announced today, is the establishment of a free badge program that helps enterprise developers evaluate whether open source projects follow secure development practices. For now, CII is looking for industry feedback on what criteria should be used to establish the program’s eventual gold, silver and bronze tiers. A first draft of criteria, written by open source and security researcher David A. Wheeler of the Institute for Defense Analyses and Dan Kohn, a CII senior advisor, is available on Github.
Some of the criteria, such as whether the project has a public website, basic content, a OSS license, a public version-controlled source repository, bug reporting processes, unique version numbering, change log and more, will ultimately be automatically testable, said CII senior director of infrastructure Emily Ratliff. For other criteria that are not automatically testable, such as whether there are multiple developers who review commits, the CII will develop a survey-based system for those questions.
“When you’re creating a project, whether it’s open- or closed-source, very few projects are 100 percent your own code. You have to decide which projects you can rely upon,” Ratliff said. “Open source projects often don’t have risk evaluations, and it’s tricky to do yourself. We’re introducing this best practices badge program to make it easy to find all that information in one place and make it easy to see which project is self-certifying its security best practices around development.”
Ratliff hopes that developers—especially those already developing under some kind of software assurance model—contribute not only feedback on existing criteria but share additional best practices.
While there is no cost for the badge program, projects will have to enroll and best tested and/or complete the survey, Ratliff said.
“We want feedback on the criteria: Is it too easy, too hard,” Ratliff said. “This is ongoing, an open call for anyone. When we feel like we have had sufficient discussion with the key projects and with enough developers, we’ll move on to the next phase [completing the automated testing code and awarding badges].”
The CII also announced that it had added two new advisory board members, Adam Shostack and Tom Ritter. Shostack is best known for his time at Microsoft where he designed the freely available threat model tool used by its Security Development Lifecycle. He is also the coauthor of the New School of Information Security. Ritter is practice director of Cryptography Services at the NCC Group one of the auditors involved in the TrueCrypt audit.