Open Source Security Foundation

Projects Overview

Projects

• OSPS Baseline
• Scorecard
• GUAC
• OpenVEX
• Protobom
• bomctl
• SBOMit
• Sigstore
• SLSA
• S2C2F

• Zarf
• gittuf
• OSV Schema
• Package Analysis
• RSTUF
• Best Practices Badge
• Criticality Score
• Fuzz Introspector
• Security Insights Specification

OpenSSF Working Groups

AI/ML Security

BEAR

Belonging, Empowerment, Allyship, and Representation

BEST

Best Practices for

Open Source Developers

Global Cyber Policy

ORBIT

Open Resources for Baselines, Interoperability, and Tooling

Securing Critical Projects

Securing Software Repositories

Security Tooling

Supply Chain Integrity

Vulnerability Disclosures

Visit the Working Groups page at https://openssf.org/community/openssf-working-groups/ for information on each group.

OpenSSF Technical Initiatives Landscape

ORBIT (Open Resources for Baselines, Interoperability, and Tooling)

O1. OSPS Baseline project

​

Vulnerability Disclosures

V1. CVD Guides SIGs

V2. OSV Schema project

V3. OpenVEX SIG

OpenVEX Project

DevRel Community

Best Practices

B1. OpenSSF Best Practices Badge project

B2. OpenSSF Scorecard project

B3. Education SIG

B4. Memory Safety SIG

B5. C/C++ Compiler Options SIG

B6. Python Hardening SIG

Source code

Build

Package

Package selection information

Vulnerability information

Dependencies

Security Tooling

T1. SBOM Everywhere SIG

T2. OSS Fuzzing SIG

T3. SBOMit project

T4. Protobom project

T5. bomctl project

T6. Fuzz Introspector project

T7. Minder project

T8. OpenBao project

​

Supply Chain Integrity

C1. Security Insights project

C2. SLSA project

C3. S2C2F project

C4. Gittuf project

C5. GUAC project

C6. Zarf project M

​

Securing Critical Projects

CP1. criticality_score project

CP2. Package Analysis project

​

Securing Software Repositories

R1. RSTUF Project

AI/ML Security

A1. Model Signing SIG & Project

BEAR (Belonging, Empowerment, Allyship, and Representation)

B3

B4

C3

B5

B6

C1

C5

CP1

CP2

P1

P3

R1

B2

C4

B1

T1

T2

T3

C2

P2

C3

V1

V2

V3

C1

C6

A1

T4

T5

T6

T7

Projects

P1. Alpha & Omega project

P2. Sigstore

P3. Core Toolchain Infrastructure (CTI)

O1

O1

Global Cyber Policy

T8

OpenSSF Scorecard

Quickly assess open source projects�for risky practices.

OpenSSF Scorecard: Use Cases

For individual maintainers

• Helpful as a pre-launch security checker for a new project or to plan improvements to an existing one.

For an organisation

• Include in CI/CD processes using the GitHub action and run by default on pull requests.

For consumers

• Helps to make informed decisions about security risks and vulnerabilities.
• Using the public data, evaluate the security posture of over 1 million of the most used OSS projects.

​

Automated Checks with Weighted Scoring

• 18 checks for vulnerabilities affecting different parts of the software supply chain (shown right)
• Each automated check returns a score out of 10 and a risk level; some checks have staged scoring, others are dichotomous
• The risk level adds weighting to the score (shown below)
• The weighted value of all checks are compiled into a single, aggregate score

https://github.com/ossf/scorecard#scorecard-checks

OpenSSF Scorecard: Running the Checks

• Run automatically on code you own using the GitHub Action
• Authenticate repo access with Personal Access Token
• Install Scorecard action to your code scanning suite
• Can publish results and display Scorecard badge on GitHub repo
• Run manually on your (or somebody else’s) project via the Command Line
• Check someone else’s repository
• Select which checks you want to run
• Control how detailed your results are

OpenSSF Scorecard: Viewing Scores

• Use the webviewer to see score reports for projects regularly scanned by Scorecard (shown right, link below)
• https://securityscorecards.dev/viewer/?uri=<github_or_gitlab>.com/ <user_name_or_org>/<repository_name>
• Results can be sorted by check name, score, or risk level
• Use the REST API to query pre-calculated scores of OSS projects
• Use the Scorecard CLI to view scores for projects that are not regularly scanned by Scorecard
• OpenSSF Scorecard scans 1 million of the most critical OSS projects
• Results published in a BigQuery public dataset

OpenSSF Scorecard: Sub-projects

• Scorecard API Visualizer: Fetches the scorecard data from the OpenSSF Scorecard API and presents it in a user-friendly and interactive visual format
• Scorecard Monitor: Simplifies score tracking in organizations with automated markdown, JSON reports, and optional GitHub issue alerts
• Allstar: GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices.

OpenSSF Scorecard: Get Involved

• Website: https://scorecard.dev
• GitHub: https://github.com/ossf/scorecard
• Slack: #scorecard
• Working Group: Best Practices

Graph for Understanding Artifact Composition

GUAC gives you directed, actionable insights into the security of your software supply chain.

GUAC: Use Cases

For developers

• Identify deprecated and unsupported dependencies
• Discover “version sprawl”, where several versions of the same dependency are included
• Locate and remediate vulnerable dependencies
• Identify risky upstreams based on security practices evaluated by OpenSSF Scorecard

For operations engineers

• Locate and remediate vulnerable dependencies

For open source program offices

• Identify strategically important open source upstreams
• Identify open source upstreams that could benefit from security help based on OpenSSF Scorecard results

​

GUAC: Mapping the relationships between software

GUAC aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.

GUAC: Components

The full GUAC component deployment is a set of asynchronous services that combine to form a robust and scaleable pipeline.

• GraphQL Server: abstraction layer for integrations and other components
• Ingestion Pipeline:
• Collector: Reads or watches locations for new documents and collects them when found
• Ingestor: Parses docs (ex: SBOMs) into GUAC data model/ontology
• Assembler: Puts GUAC objects into queryable datastore
• CollectSub: Takes identifiers of interest and creates a subscription for collectors to follow

GUAC: Get Involved

• Website: https://guac.sh/
• GitHub: https://github.com/ossf/scorecard
• Slack: #guac
• Working Group: Supply Chain Integrity

OpenVEX

A simplified Vulnerability Exploitability�eXchange implementation

What is VEX?

V.E.X. - Vulnerability Exploitability Exchange

A sequence of messages to communicate the impact of a vulnerability on a piece of software.

Designed to work with SBOMs but also independently.

Created by a community of stakeholders facilitated by CISA.

​

OpenVEX: Use Cases

The primary use cases for VEX are to provide users (e.g., operators, developers, and services providers) additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.

​

The VEX Statement

VEX centers on the notion of a statement. In short, a statement can be defined as an assertion intersecting product, a vulnerability, and an impact status:

OpenVEX

OpenVEX is one of the 4 VEX flavors developed under the CISA VEX working group.

Designed to be lightweight, embeddable and with linked data in mind.

​

The primary use cases for VEX are to provide users (e.g., operators, developers, and services providers) additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.

​

OpenVEX is…

A Specification

OpenVEX documents are minimal JSON-LD files that capture the minimal requirements for VEX as defined by the VEX working group organized by CISA. The OpenVEX Specification is owned and steered by the community.

A Go Library

The project has a go library (openvex/go-vex) that lets projects generate, transform and consume OpenVEX files. It enables the ingestion of VEX metadata expressed in other VEX implementations.

A Set of Tools

Work is underway to create the tools software authors and consumers need to handle VEX metadata. The current flagship project is vexctl, a CLI to create, merge and attest VEX documents.

OpenVEX Creators

vexctl Features

VEX Document Edit

Creating documents, adding statements,

Document Merging

Merging data from one or more documents into one.

Generation

Generate VEX documents from existing data

Attest & Sign

Generate signed attestations and sign them natively with Sigstore.

OpenVEX: Ecosystem

The project has a growing ecosystem with known implementations in:

• Go (original): https://github.com/openvex/go-vex
• .NET: NuGet GitHub
• Rust: https://docs.rs/openvex/latest/openvex/

OpenVEX: Get Involved

• GitHub: https://github.com/openvex
• Slack: #sig-openvex
• Special Interest Group: OpenVEX

Protobom

A format-neutral SBOM data representation and I/O library

28

Protobom: The Original Cohort

Protobom Core

• Protocol buffers representation of SBOM data
• Able to ingest documents in modern SPDX and CycloneDX versions without loss
• Accompanying Go library generated from the protocol buffers definition that also implements ingesters for those formats
• Standard SBOMs read by a reader using parsers that understand the common formats.
• Parsers create neutral protobom from data read from CycloneDX or SPDX documents
• Can be rendered into standard SBOM formats by the writer using serializers

Protobom Core

In essence, the protobom spec and intermediate representation allows applications to work with a consistent SBOM data graph.

​

… instead of a bunch of ever changing JSON.

​

​

Protobom Universe

The protobom universe of libraries and tooling aims to abstract operations that applications commonly perform on SBOM data.

​

The protobom ecosystem enables the creation of advanced SBOM applications without worrying about the underlying formats.

​

​

Protobom: Compatibility

The protobom library can be used to read in and write out SBOM documents in these formats:

Protobom: Examples

• The sbom-convert project
• https://github.com/protobom/sbom-convert provides a complete example of using the library to ingest an SBOM into the protobom intermediate format and then write out a new SBOM document in a different format.
• Read in SBOM document to work with specific field(s)
• The protobom library is the best and easiest way to interact with SBOM documents using the Go programming language.
• Generate an SBOM document programmatically
• The protobom intermediate representation could also be used to create a new SBOM document. Developers could create a new protobom document and use the Go programming language to populate the fields needed in the SBOM document.

Protobom: Get Involved

• GitHub: https://github.com/protobom/protobom
• Slack: #protobom
• Working Group: Security Tooling

SBOMit

Specification of an SBOM format independent

method for attesting components

SBOMit

An SBOMit document is effectively an SBOM, only with additional verification information added that was generated at the time the supply chain was generated. This verification information, which uses in-toto attestations and layouts, can be validated by a party to get a high degree of assurances about the software.

SBOMit

Prepare

Sources

Resolve

Dependencies

Compile

SBOMit: Document Components

• A series of in-toto attestations that were generated as the described software was created
• Detailed information about steps of the software supply chain
• An in-toto layout signed by the project owner
• Describes what valid attestation metadata for the project looks like
• Supplemental SBOM information
• Along with the in-toto attestations and in-toto layout can be used to derive an actual SBOM in a variety of formats

SBOMit: Advantages

• Generated at the time the software is being processed through the software supply chain
• More accurate than scanning tools that use incomplete information to try to recover what happened in the past
• Contains cryptographically signed metadata about all of the steps that went into making the software
• Much harder for accidental inaccuracies like skipping a step or for malicious actions to be undetected
• Provides greater ability to securely recover from a compromise

SBOMit: Get Involved

• GitHub: https://github.com/sbomit
• Slack: #sbomit
• Working Group: Security Tooling

Sigstore

A wax seal of security for the digital era.

42

Sigstore: Vision

Sigstore was started to improve supply chain technology for anyone using open source projects. It's for open source maintainers, by open source maintainers.

And it's a direct response to today’s challenges, a work in progress for a future where the integrity of what we build and use is up to standard.

Sigstore: How it Works

Sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

A standardized approach

This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious.

Sigstore: Components

• Cosign: User-friendly tool to sign and verify software artifacts and container images.
• Fulcio: Certificate authority to issue short-lived identity-based code-signing certificates.
• Rekor: Transparency log providing a tamper-resistant record of software signatures and metadata.
• Gitsign: Sign Git commits with your own GitHub / OIDC identity.

Sigstore: Benefits

• Previous tools to cryptographically sign OSS packages often unused
• No widely-practical mechanism to determine if public keys used are correct — verification impractical
• No easy way to detect malicious signing
• Key revocation typically impractical in practice
• Sigstore is a free-to-use non-profit software signing service
• Users generate ephemeral short-lived key pairs using the sigstore client tooling
• sigstore PKI service provides a signing certificate generated upon a successful OpenID connect grant
• All certificates are recorded in certificate transparency log
• Software signing materials are sent to a signature transparency log
• Guarantees that claimed user controlled their identity service providers’ account at time of signing
• Once the signing operation is complete, the keys can be discarded, removing any need for further key management or need to revoke or rotate.
• Using OpenID connect identities enables use of existing security controls such as 2FA, OTP and hardware token generators
• Enables using cloud CI/CD provider without maintaining private key - simple!
• Transparency logs are public and open; anyone can monitor transparency logs for issues

Sigstore: Get Involved

• Website: https://www.sigstore.dev/
• GitHub: https://github.com/sigstore/
• Slack: sigstore.slack.com
• Training: LFS182

Supply-chain Levels

for Software Artifacts (SLSA)

Safeguarding artifact integrity across any software supply chain

SLSA

Supply-chain Levels for Software Artifacts, or SLSA ("salsa").

It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.

If an SBOM is like a list of ingredients, SLSA is like all of the food safety handling guidelines that make an ingredient list credible.

​

SLSA: Use Cases

SLSA is for everyone involved in producing, consuming, and providing infrastructure for software such as build platforms and package ecosystems.

• Producers: for protection against tampering and insider threats
• Consumers: to verify the software they rely on is secure
• Infrastructure Providers: as a guideline for hardening build platforms and processes.

SLSA: The Supply Chain Problem

Any software can introduce vulnerabilities into a supply chain. As a system gets more complex, it’s critical to already have checks and best practices in place to guarantee artifact integrity, that the source code you’re relying on is the code you’re actually using. Without solid foundations and a plan for the system as it grows, it’s difficult to focus your efforts against tomorrow’s next hack, breach or compromise.

SLSA offers…

• A common vocabulary to talk about software supply chain security
• A way to secure your incoming supply chain by evaluating the trustworthiness of the artifacts you consume
• An actionable checklist to improve your own software’s security
• A way to measure your efforts toward compliance with forthcoming Executive Order standards in the Secure Software Development Framework (SSDF)

​

SLSA: Levels of Assurance

• Common language for security of software, supply chains and their components
• Industry-recognized best practices to create four compliance levels of increasing assurance
• Levels look at the builds, sources and dependencies in open source or commercial software

SLSA: Get Involved

• Website: https://slsa.dev/
• GitHub: https://github.com/slsa-framework/slsa
• Slack: #slsa
• Working Group: Supply Chain Integrity

Zarf

A free open source tool that enables continuous software delivery on systems that are disconnected from the internet.

DevSecOps for Airgap

Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.

Modern software assumes your systems have access to the internet. This may work for 99% of the world, but certain SECURE systems need to maintain capabilities while being disconnected or intermittently disconnected from the internet. Zarf keeps your software running, no matter your connection status.

Zarf: Use Cases

• Intermittently Connected Systems
• Some systems experience disconnection occasionally due to temporary loss of access, like a rocket going around the moon. Zarf keeps those systems running.
• Always Disconnected
• Other systems are always disconnected due to lack of internet access. Maybe they are underground, underwater, or on another planet.
• Situationally Disconnected Systems
• The worlds most important infrastructure needs to be able to control their connection to the internet and still run in the case of internet loss or a cyber attack.

Zarf: Use it to…

• Securely Package Apps & Resources
• Package a chunk of the internet and securely deliver all of the files and dependencies needed to run an application in a disconnected environment.
• Deploy Cloud Apps While Disconnected
• Deploy apps declaratively and without internet connectivity. This opens the door for modern cloud capabilities to be deployed in disconnected environments.
• Easily Maintain Apps While Disconnected
• Reduces the skills and resources needed to manage and update applications in disconnected environments, ensuring no downtime or data loss when updating software.

Zarf: Features

• Automate Kubernetes deployments in disconnected environments
• Automate Software Bill of Materials (SBOM) generation
• Build and publish packages as OCI image artifacts
• Provide a web dashboard for viewing SBOM output
• Create and verify package signatures with cosign
• Publish, pull, and deploy packages from an OCI registry
• Powerful component lifecycle actions
• Deploy a new cluster while fully disconnected with K3s or into any existing cluster using a kube config
• Built-in Git server with Gitea
• Built-in Docker registry
• Builtin K9s Dashboard for managing a cluster from the terminal
• Mutating Webhook to automatically update Kubernetes pod's image path and pull secrets as well as Flux Git Repository URLs and secret references
• Builtin command to find images and resources from a Helm chart
• Tunneling capability to connect to Kubernetes resources without network routing, DNS, TLS or Ingress configuration required

Zarf: Get Involved

• Website: https://zarf.dev/
• GitHub: https://github.com/zarf-dev/zarf
• Slack: #zarf
• Working Group: Supply Chain Integrity

gittuf

Protect the contents of a Git repository from unauthorized or malicious changes

gittuf

gittuf is a platform-agnostic Git security system. The maintainers of a Git repository can use gittuf to protect the contents of a Git repository from unauthorized or malicious changes. Most significantly, gittuf’s policy controls and enforcement is not tied to your source control platform (SCP) or “forge”, meaning any developer can independently verify that a repository’s changes followed the expected security policies. In other words, gittuf removes the forge as a single point of trust in the software supply chain!

gittuf: Features

• Root of Trust
• gittuf uses TUF semantics to establish a root of trust for a Git repository
• Key Distribution and Revocation
• gittuf allows repository owners to declare and distribute the public keys required to verify Git commit and tag signatures
• Permissions
• gittuf builds on the improved key distribution and revocation mechanisms by leveraging Git’s commit and tag signing to define access control policies
• Repository owners can define rules such as the set of developers authorized to make changes to a branch or create a tag
• Repository owners can also create policies that dictate which users can make changes to specific files in the repository

gittuf: Goals

While developing gittuf, we have the following goals.

Unopinionated / Agnostic

gittuf provides features to implement different policies without requiring the use of specific systems or tools. For example, gittuf supports a variety of signing mechanisms such as GPG keys and Sigstore’s gitsign.

Compatible

gittuf is designed with great care to be compatible with standard Git repositories. All additional artifacts are stored in Git’s object store in a gittuf-specific namespace. These artifacts are not visible in the “main” contents of a repository, and therefore do not create any clutter.

​

gittuf: Get Involved

• Website: https://gittuf.dev/
• GitHub: https://github.com/gittuf/gittuf
• Slack: #gittuf
• Working Group: Supply Chain Integrity

Open Source Vulnerability Schema (OSV Schema)

Better vulnerability triage

for open source

66

66

OSV Schema

OSV Schema defines a standard interchange format for describing vulnerabilities in open source packages.

We hope to define a simple format that all vulnerability databases can export, to make it easier for users, security researchers, and any other efforts to consume all available databases. Use of this format would also make it easier for the databases themselves to share or cross-check information. Ultimately, this format aims to enable automated, accurate, and distributed management of vulnerabilities in open source dependencies.

​

OSV: Use Cases

• Open source consumers: By querying OSV.dev’s API and using the tooling to find known vulnerabilities in their dependencies.
• Vulnerability database producers: By making the database available in the OSV format.

OSV consists of:

1. The OSV Schema: An easy-to-use data format that maps precisely to open source versioning schemes.
2. Reference infrastructure (OSV.dev website, API, and tooling) that aggregates, enriches and indexes vulnerability data from databases that use the OSV schema.
3. OSV-Scanner, the officially supported frontend for OSV.dev

OSV: How it Works

OSV enables developers to identify known third-party open source dependency vulnerabilities that pose genuine risk to their application and its environment, so they can focus remediation efforts on the vulnerabilities that matter and sustainably manage vulnerabilities that do not affect them.

The OSV repository contains the infrastructure code that serves osv.dev (including the API). This infrastructure serves as an aggregator of vulnerability databases that have adopted the OpenSSF Vulnerability format.

osv.dev additionally provides infrastructure to ensure affected versions are accurately represented in each vulnerability entry, through bisection and version analysis.

OSV Schema: Get Involved

• Website: https://ossf.github.io/osv-schema/
• GitHub: https://github.com/ossf/osv-schema
• Slack: #osv_schema
• Working Group: Vulnerability Disclosures

Package Analysis &

Malicious Packages

Improving security by detecting and reporting malicious open source software

Package Analysis

The project looks for behaviors in packages available on open source repositories that indicate malicious software:

• What files do they access?
• What addresses do they connect to?
• What commands do they run?

This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.

Package Analysis: How it Works

The project's components are:

• A scheduler - creates jobs for the analysis worker from Package Feeds.
• Analysis (one-shot analyze and worker) - collects package behavior data through static and dynamic analysis of each package.
• A loader - pushes the analysis results into BigQuery.

​

The goal is for all of these components to work together and provide extensible, community-run infrastructure to study behavior of open source packages and to look for malicious software. We also hope that components can be used independently, to provide package feeds or runtime behavior data for anyone interested.

Package Analysis: Pipeline

1. Package repositories are monitored for new packages.
2. Each new package is scheduled to be analyzed by a pool of workers.
3. A worker performs dynamic analysis of the package inside a sandbox.
4. Results are stored and imported into BigQuery for inspection.

Malicious Packages

An open source system for collecting reports of malicious packages�identified in package repositories, consumable via the OSV format.

The aim is to be a comprehensive, high quality, database of reports of malicious packages published on open source package repositories.

Public reports help protect the open source community, and provide a data source for the security community to improve their ability to find and detect new open source malware.

Malicious Packages: Metrics

Total Reports

33,573

Package Analysis: Get Involved

• GitHub: https://github.com/ossf/package-analysis
• Slack: #package-analysis
• Working Group: Securing Critical Projects

Repository Service

for TUF (RSTUF)

Better vulnerability triage for open source

RSTUF

Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).

RSTUF security properties are achieved by implementing The Update Framework (TUF) as a service.

Repository Service for TUF is platform, artifact, language, and process-flow agnostic.

RSTUF: Use Cases

Some RSTUF use case examples include but are not limited to:

• An organization has a live “Software Updater”. This “Software Updater” uses TUF to download, install and update software artifacts.
• An organization distributes documents. The reader uses TUF to fetch documents submitted by a trusted source.
• An organization owns a private container image registry and uses TUF in the CI/CD to deploy computing trusted images at the edge .
• An organization with many Operational Technology (OT) devices in different plants uses TUF clients to fetch firmware, software, and projects from a distributed artifact repository.
• Web portal, which uses TUF to list all artifacts from a content repository and render as a Web UI, the user to download using a web browser.

RSTUF: Design/Solution

• Simplifies the adoption of TUF by removing the need to design a repository integration – RSTUF encapsulates that design.
• Designed to be integrated with existing content delivery solutions – at the edge or in public/private clouds – alongside current artifact production systems, such as build systems.
• Protects downloading, installing, and updating content from arbitrary content repositories.

RSTUF: API Integrations

If a user wants to integrate RSTUF into an existing CI/CD pipeline the only requirement is to make a REST API request to RSTUF:

​

​

​

The same can be said when a user wants to integrate RSTUF into an existing distribution platform:

RSTUF: Get Involved

• Website: https://repository-service-tuf.readthedocs.io/
• GitHub: https://github.com/repository-service-tuf
• Slack: #repository-service-for-tuf
• Working Group: Securing Software Repositories

Secure Supply Chain

Consumption Framework (S2C2F)

The S2C2F guide outlines and defines how to securely consume OSS dependencies into the developer’s workflow.

S2C2F

The S2C2F is a combination of processes and tools for any organization to adopt to help establish a secure OSS ingestion process to protect developers from OSS Supply Chain threats and to help establish a governance program to manage your organization’s use of OSS.

S2C2F: Objective

The objective for the S2C2F Project is to develop and continuously improve upon a guide that provides the following:

• A high-level solution-agnostic set of practices
• A detailed list of requirements
• A list of real-world supply chain threats specific to OSS, and how our Framework requirements mitigates them
• A maturity model-based implementation guide, with links to tools from across the industry
• A process for assessing your organization’s maturity
• A mapping of the Framework requirements to 6 other supply chain specifications

S2C2F: Core Concepts

The S2C2F is modeled after three core concepts—control all artifact inputs, continuous process improvement, and scale.

S2C2F: Get Involved

• GitHub: https://github.com/ossf/s2c2f
• Slack: #s2c2f
• Working Group: Supply Chain Integrity

Best Practices

Badge Program

Best practices for Free/Libre and

Open Source Software

Best Practices Badge Program

The Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using a web application to explain how they follow each best practice. The OpenSSF Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software.

Best Practices Badge Program

The OpenSSF Best Practices Badge website outlines the criteria for the passing badge, provides an example, shows participating projects, and supports queries to show projects that have a passing badge. This project was formerly known as the Core Infrastructure Initiative (CII) Best Practices Badge and was formally renamed as part of OpenSSF in late 2021. More information on the OpenSSF Best Practices Badging program is available on GitHub.

Best Practices Badge Program

Getting a passing badge is a significant achievement; on average only about 10% of pursuing projects have a passing badge. We have established two higher levels beyond passing: silver and gold. Here is a summary of the gold criteria:

• At least 2 unassociated significant contributors
• Per-file copyright and license
• Use 2FA
• At least 50% of all modifications are reviewed by another
• Have a reproducible build
• Use continuous integration
• Statement coverage 90%+
• Branch coverage 80%+
• Support secure protocols & disable insecure protocols by default
• Use TLS version 1.2 or higher
• Have a hardened project website, repo, and download site
• Have a security review (internal or external)

Best Practices Badge Program: Get Involved

• Website: https://www.bestpractices.dev
• GitHub: https://github.com/coreinfrastructure/best-practices-badge
• Slack: #wg-best-practices-ossdev
• Working Group: Best Practices for Open Source Developers

Criticality Score

Defining the influence and importance of a project

Criticality Score

The Criticality Score gives criticality score for an open source project.

Goals:

• Generate a criticality score for every open source project.
• Create a list of critical projects that the open source community depends on.
• Use this data to proactively improve the security posture of these critical projects.

A project’s criticality score defines the influence and importance of a project. It is a number between 0 (least-critical) and 1 (most-critical). It is based on the following algorithm by Rob Pike:

Criticality Score: Get Involved

• GitHub: https://github.com/ossf/criticality_score
• Working Group: Securing Critical Projects

Fuzz Introspector

Improving the fuzzing experience of a project

Fuzz Introspector

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers. Fuzz introspector aggregates the fuzzers’ functional data like coverage, hit frequency, entry points, etc to give the developer a birds eye view of their fuzzer. This helps with identifying fuzz bottlenecks and blockers and eventually helps in developing better fuzzers.

Fuzz-introspector aims to improve fuzzing experience of a project by guiding on whether you should:

• introduce new fuzzers to a fuzz harness
• modify existing fuzzers to improve the quality of your harness.

​

Indexing OSS-Fuzz Projects

Open Source Fuzzing Introspection provides introspection capabilities to OSS-Fuzz projects and is powered by Fuzz Introspector.

• Table of projects with Fuzz Introspector analysis
• Examples, with links in profile to latest Fuzz Introspector analysis:
• Liblouis / C
• htslib / C
• brotli / C++
• idna / python
• junrar / java

Fuzz Introspector: Architecture

Fuzz Introspector: Get Involved

• GitHub: https://github.com/ossf/fuzz-introspector
• Working Group: Security Tooling

Security Insights Specification

Machine-processable project security information reporting

Security Insights Specification

This specification provides a mechanism for projects to report information about their security in a machine-processable way. It is formatted as a YAML file to make it easy to read and edit by humans.

The data tracked within this specification is intended to fill the gaps between simplified solutions such as SECURITY.md and comprehensive automatable solutions such as SBOMs. In that gap lay elements that must be self-reported by projects to allow end-users to make informed security decisions.

As the adoption of Security Insights grows, so does the opportunity to automatically ingest it. For example, the Linux Foundation's CLOMonitor parses a project's Security Insights file to determine whether projects have reported on select security factors prioritized by the foundation.

Security Insights Specification: Get Involved

• GitHub: https://github.com/ossf/security-insights-spec
• Slack: #security-insights
• Working Group: Supply Chain Integrity

bomctl

Bridging the gap between SBOM generation

and SBOM analysis tools.

bomctl

bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.

It is intended to help developers who need to manipulate SBOMs at the CLI or within a workflow. Example operations would be merging in project specific SBOM data that would not be detected by a SBOM generation tool.

bomctl: Goals

• Simplify the process of manipulate SBOM Files while being SBOM format agnostic
• Simplify linking SBOM Files to allow "trees" of SBOM Files to handle capturing systems of systems
• Manage reading SBOM Files from a variety of sources
• Manage writing SBOM Files to a variety of destinations
• Create a CLI to wrap protobom go library functionality

bomctl: Features

• Work with multiple SBOMs in tree structures (through external references)
• Fetch and push SBOMs using multiple protocols
• Leverage a .netrc file to handle authentication
• Manage SBOMs using a persistent database cache
• FUTURE - Manipulate SBOMs with commands like diff, split, and redact
• FUTURE - Interface with OpenSSF projects and services like GUAC and Sigstore

bomctl: Get Involved

• GitHub: https://github.com/bomctl
• Slack: #bomctl
• Working Group: Security Tooling

OSPS Baseline

Structured security requirements aligned with international frameworks, standards, and regulations

111

What is the Baseline?

The OpenSSF’s Open Source Project Security Baseline (OSPS Baseline or simply “Baseline”) refers to a collection of efforts led by the OpenSSF in collaboration with members and LF partners (CNCF, FINOS, OpenJS).

​

The Baseline includes a Catalog of requirements that map to industry standards, frameworks, and regulations, and Tooling to assist in determining Baseline-compliance, that automate Baseline configuration settings, and links to evidence and attestations.

112

112

Est. 2024

All your Base are belong to us

The OpenSSF Security Baseline was officially released Feb 2025

Based on a library of well-known cybersecurity frameworks, standards, and global regulations

It includes 40 requirements across 3 levels of maturity covering 8 areas of cyber and application security practices

• Access Control
• Build & Release
• Documentation
• Governance
• Legal
• Quality
• Security Assessment
• Vulnerability Management

113

https://baseline.openssf.org

https://github.com/ossf/security-baseline

https://github.com/ossf/wg-ORBIT

What are these levels you speak of?

• “Universal security floor” for all open source - great for single maintainer or early maturity projects
• Are you a Foundation? the level 1 baseline should be your first set of criteria for maturing projects (or even accepting projects).

• “Let me get my cli, I got this” - good for projects with 2 - 6 maintainers and maturing

• Security flex - good for highly mature projects that consider security a core competency
• Are you in a Foundation with project resources? You should strive for this one.

114

https://baseline.openssf.org

https://github.com/ossf/security-baseline

20

18

9

Compliance Crosswalk

115

https://docs.google.com/spreadsheets/d/1an5mx3rayoz3JRFUepD56zgprpwXBXBG70fVZvIMCpA/

Level 2 & 3

Building a Better Catalog

Baseline currently maps alignment across multiple cyber compliance frameworks and/or cyber legislations. “Baselining” helps downstream select projects that align with and that support their compliance obligations!

​

116

• SSDF
• CSF
• 800-161/800-53
• CISA Software Acquisition Guide (forthcoming)

• Software Security Code of Practice (forthcoming)

• Cyber Resilience Act
• DORA (forthcoming)

• BP Badges
• Scorecard
• Minder
• SLSA
• OpenSSF tooling

Have a framework or a particular piece of legislation you’d like to see integrated into the Baseline? Patches Welcome!

Why Baseline Matters

Value-prop for Devs

• Gives direct and actionable advice for improving security practices
• Provides the ability for Developers/projects to show they follow reasonable security measures as well as ways to improve
• Allow projects to humble-brag about how great they are
• Collects common downstream requests (nags/demands) and advertises them so Downstream can RTFM and stop harassing their unpaid Upstream component sources

​

Value-prop for Downstream

• Provides clear signals and evidence/attestations about upstream component security practices to allow corporate due-diligence and risk management
• Provides a clear checklist of things that Downstream could go work with (donate/DO) for their Upstream sources
• Aligns software development practices with global cybersec laws and frameworks (reduces compliance costs [do once, applicable many])

117

Tying it all together

As the group settles into a working rhythm, we’re now ready to start engaging with the broader LF and ecosystem.

We’ll begin work on a “Baseline workflow” on how projects can “Get Baselined”, work on docs, education, and continue work on automation and attestations .

Tools Like LFX, Scorecard, and BP Badges will be outward signs for developers and consumers about the “Baselineness” of a project.

118

Future Workflow

119

• Baseline Catalog v1.0 is ready today!
• Compliance Crosswalk 1.0 ready today!
• Tooling to enable and empower the Baseline Catalog are being developed TODAY!

Follow the ORBIT Working group

(Open Resources for Baselines, Interoperability, and Tooling) for more details - https://github.com/ossf/wg-orbit

OSPS Baseline: Get Involved

• GitHub: https://github.com/ossf/security-baseline
• Slack: #sig-security-baseline
• Working Group: ORBIT

Is your organization a member of OpenSSF?

Questions? Contact membership@openssf.org

121

openssf.org/join

Legal Notice

Copyright © Open Source Security Foundation®, The Linux Foundation®, & their contributors. The Linux Foundation has registered trademarks and uses trademarks. All other trademarks are those of their respective owners.

Per the OpenSSF Charter, this presentation is released under the Creative Commons Attribution 4.0 International License (CC-BY-4.0), available at <https://creativecommons.org/licenses/by/4.0/>. You are free to:

• Share — copy and redistribute the material in any medium or format for any purpose, even commercially.
• Adapt — remix, transform, and build upon the material for any purpose, even commercially.

The licensor cannot revoke these freedoms as long as you follow the license terms:

• Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
• No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

122