SEATTLE—How does anyone know if any given open-source project is following security best practices? That's a question that the Linux Foundation is now trying to answer with a new program announced at the LinuxCon conference here.
Emily Ratliff, senior director of infrastructure security at the Linux Foundation, announced the new badging effort in a press conference with media and analysts. She said the program is akin to the badges used on the popular Github code-development and -sharing site.
The basic idea with the badges is to have open-source projects evaluate their security posture and best practices against a number of criteria. The criteria are currently under discussion but will likely include security basics, such as whether or not a project regularly updates, does static or dynamic analysis of code, and has a security response capability (by way of an email alias or other mechanism).
The Core Infrastructure Initiative (CII) was created by the Linux Foundation in the wake of the Heartbleed vulnerability in OpenSSL in 2014. Among the financial backers of CII are Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The CII has raised approximately $5.5 million in funding to help support its ongoing efforts.
Watch the full video of Ratliff's comments from LinuxCon below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.