The Linux Foundation’s Core Infrastructure Initiative project on Tuesday announced a free badge program to help foster security, quality and stability in open source software projects.
Through an online app, the CII lets devs determine whether they’re following best practices, generally within an hour or so.
If they are, they’ll receive the badge, which they can display on GitHub and other online properties.
The ongoing development of the app and its criteria is an open source project to which devs can contribute.
Curl, GitLab, the Linux Kernel and OpenSSL are among the projects that already have earned the badge.
Issues With Open Source
“I suspect open source software is no better or worse than [proprietary] software in terms of security flaws,” Wang suggested. “We hear more about open source flaws, because they tend to be public in terms of disclosure of security vulnerabilities.”
The problem with open source software is that it has no set standard as to the security levels to test to, observed Holger Mueller, principal analyst at Constellation Research.
The badge process “is a very good first step to get multiple open source initiatives to start adopting some basic and some advanced security protocols,” he told LinuxInsider.
There currently are few ways to measure an open source project objectively, Red Hat’s Bressers pointed out. “If this project manages to create a community where we can accurately and easily understand the level of security of a given project, that would be good news for everyone, especially the projects that put the effort into earning a positive rating.”
One of the great challenges facing open source today is “being able to understand and control the value chain in your development and dependencies,” he explained. “Ideally, [the badge project] will help with that.”
The standard set for awarding the badge is reasonable, so “it will quickly become requested by open source consumers,” Constellation’s Mueller predicted. “We shouldn’t be surprised to see widespread adoption.”
Although it’s too early to tell whether it might end up being a de facto standard, the wide interest and endorsement by several projects “is a good sign,” he said.
Standards wars repeatedly have erupted in the proprietary software field, and if standards rivalry were to emerge for open source, that would be bad, Mueller mused.
In general, however, the security community has been working well together, he noted. Rather than competing, researchers have been layering on top of one another and complementing each other’s work.
“In the even more collaborative open source ecosystem,” said Mueller, “I’d be surprised to see another approach.”
Consideration for the badge now includes an assessment of OpenSSL, the software used by open source Web servers such as Nginx and Apache, which host more than 60 percent of the world’s websites.
That widespread usage made hundreds of thousands of websites vulnerable to the Heartbleed OpenSSL flaw, and many large sites, including Yahoo, were left scrambling for a fix.
The flaw, discovered April 2014, resulted from a minor programming error made by a Ph.D. student. It was followed by another flaw in July of 2015.
Those vulnerabilities were a consequence of lack of funding and the small size of the OpenSSL team, according to OpenSSL Foundation president Steve Marquess.
However, “all software has security issues,” noted Josh Bressers, security strategist at Red Hat.
The use of OpenSSL in websites has been trending steadily downward since 2015.
Before Heartland struck, OpenSSL met only about one-third of the CII Best Practices Badge criteria, according to the Linux Foundation, but it now scores a perfect 100 percent.
The Badge’s Impact
The badge is one way to recognize the incredibly important contributions open source programmers make to the community, observed Red Hat’s Bressers.
“It should at the very least generate lessons that can be applied in the future,” he told LinuxInsider.
“A ‘Good Housekeeping seal’ is a good analogy,” noted Chenxi Wang, chief strategy officer at Twistlock.
“It doesn’t quite say ‘vulnerability free,’ but it gives a general sense of confidence and assurance that the software has at least gone through some standard checks and practice guaranties,” she told LinuxInsider.