Identifying Security Threats in Open Source Projects
The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
Motivation
Open source software is an essential part of modern software development, and of practically all technology solutions. Adoption of open source software has grown over the past two decades, powering everything from tiny "Internet of Things" devices to the most advanced supercomputers in the world. This has led to enormous productivity gains, allowing software engineers to focus more on solving business problems and less on creating and re-creating the same building blocks needed in many situations.
With these benefits, however, comes some risk. Attackers frequently target open source projects and the ecosystems they are a part of in order to compromise the organizations or users that use those projects. It's essential that we understand these threats and work to build defenses against them.
Objective
Our objective is to enable stakeholders to have informed confidence in the security of open source projects. This includes identifying threats to the open source ecosystem and recommending practical mitigations. We will also identify a set of key metrics and build tooling to communicate those metrics to stakeholders, enabling a better understanding of the security posture of individual open source software components.
Scope
The scope of this working group includes "security", as opposed to privacy, resiliency, or other related areas. We also consider the broad open source ecosystem, as opposed to focusing exclusively on critical open source projects.
Active Projects
-
- Leads: Michael Scovetta, Michael Winser, Brian Behlendorf
-
- Lead: Marta Rybczynska
-
Security Insights - Provides a mechanism for projects to report information about their security practices in a machine-readable way.
- Lead: Luigi Gubello
-
Security Metrics - This project's purpose is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.
- Lead: Michael Scovetta [existing implementation]
- Leads: Vinod, Jay White, Christine Abernathy
-
Security Reviews - This repository contains a collection of security reviews of open source software.
Inactive Projects
Get Involved
- Please get involved with our specific projects, e.g,.
- Mailing List and Security Reviews. (Manage your subscriptions to OpenSSF mailing lists)
- OpenSSF Community Calendar
- Join us on Slack
Related Work
-
OpenSSF Best Practices Badge Program - an input to the metrics dashboard generated by the Security Metrics project (formerly named CII Best Practices Badge Program).
-
OpenSSF Scorecard - another input to the metrics dashboard
-
CHAOSS - develops definitions of metrics
-
All of OpenSSF
Quick Start
The best way to get started is to simply join a working group meeting. You can also read our Meeting Minutes to get up to speed with what we're up to.
Meeting Times
- We meet every other week on Wednesdays. See the OpenSSF Community Calendar.
Meeting Notes
Meeting Minutes If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Antitrust Policy Notice
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
Governance
The CHARTER document outlines the scope and governance of our group activities.
- Lead: Michael Scovetta