Back in August 2015, the Linux Foundation Core Infrastructure Initiative (CII) announced a new badging effort to help open-source projects with security best practices. On May 3, the first groups to achieve the security badge were formally announced, and they include Curl, GitLab, OpenBlox, OpenSSL, Node.js, Zephyr and the Linux kernel.
To earn a badge, projects must comply with a set of security best practices as outlined in the CII Best Practices Badge GitHub repository. Most of the items are either automatically verified—for example, providing encrypted access to a repository—or obvious, such as providing good release notes, according to Dan Kohn, senior adviser to CII and the Linux Foundation.
“Individuals who find that a project is not living up to aspects of the badge can open an issue on the CII Best Practices Badge’s GitHub site, and we can manually move badges off of passing status,” he told eWEEK.
For the badging of the Linux kernel itself, Kohn noted that Greg Kroah-Hartman, a Linux Foundation fellow and maintainer of the stable kernel branch, conducted the assessment on behalf of the kernel community.
“As one of the largest, oldest and best funded open-source projects, the Linux kernel has long been an example of best practices,” Kohn said. “In particular, it has excellent documentation about contributing, formatting patches, security, etc.”
As such, the Linux kernel security badge assessment consisted mostly of entering the URLs for the existing documentation, he said. While the Linux kernel is a large project that already has established best practices, the CII Best Practices Badge is also designed for smaller projects, and single developer projects such as Curl have already achieved a badge, Kohn added.
The way assessments have worked is that a core developer from each project that has achieved a badge so far completed the assessment to receive the badge, according to Kohn. He noted that CII reached out directly to each of the initial projects to encourage them to consider becoming the among the first to get badges.
“We’re now encouraging all open-source developers to get a badge,” he said. “We would like to see tens of thousands of badged projects.”
From a risk perspective, the fact that a given project has achieved the CII Best Practices Badge doesn’t necessarily reduce the risk of a security incident, but it can make security comparatively better.
“Between two equivalent projects, a project that cares enough to ensure that it qualifies for a badge and to take the trouble to get one may well be more secure or reliable,” Kohn said. “CII encourages all open-source projects, and especially ones that are part of the Internet’s core infrastructure, to get the badge.”
At this point there is only one type of badge in the CII program, but Kohn said that will evolve in the future. He expects in the future the program will have not just a pass/fail, but also have silver, gold and platinum badges.
“We also expect to add additional constraints over time to help ensure that best practices only get better as they become more widely accessible,” Kohn said.
The CII Best Practices badge page lists a number of projects that are currently in process but have not yet been granted a badge.
“Any open-source developer can go that page and receive an in-progress badge for any or all of their projects,” Kohn said. “We are happy to provide support via GitHub issues, but it’s now up to those developers to complete the assessment.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.