In theory, the more people are involved in a software project, the lower chance of a vulnerability slipping through. But in practice, the open-source community suffers from a fair share of security issues that periodically rise to the surface like the Heartbleed exploit discovered last year, which The Linux Foundation hopes to address with a new initiative meant to foster safer development.
The program is launching under the wing of the Core Infrastructure Initiative (CII), one of the many groups in its vast ecosystem, which will start handing out badges to projects that meet the requirements outlined in a standard published this week. The lengthy document covers everything from basic eligibility criteria concerning licensing and documentation to more nuanced details such as the method with which code is delivered.
The program mandates that downloads must be served through a secure connection that can’t be intercepted and that the project organizes should provide a likewise private way for their users to report security vulnerabilities. The remaining counts pertain mainly to the code base itself and how it’s managed, which can be checked using an autonomous diagnosis tool available to participants.
Projects that are found to meet the requirements of the CII standard are given a specific combination of badges reflecting their level of compliance. It’s not exactly a foolproof defense against security issues, especially given that participation is entirely voluntary, but does hold the potential to establish a much needed baseline to foster safer code.
Creating a tangible distinction between projects that employ security best practices and those that don’t in the form of a badge clearly visible to any prospective user could be what it takes to produce the competitive necessity needed to motivate those who don’t meet the standard to catch up. But to do that, the CII first needs to establish its standard as a reliable benchmark, which is why it’s actively soliciting input for the document from members of the open-source community.
The group’s efforts seem to be bearing fruit. The Linux Foundation announced that two key influencers, BlackHat Review Board member Adam Shostack and NCC Group Plc. cryptography services head Tom Ritter, have joined the CII leadership in conjunction with the launch of the certification program to help its efforts along.
Photo via Geralt