Linux Foundation’s Core Infrastructure Initiative Seeks Community Input On New Security-Focused Badge Program
Two Prominent Cyber Security Authorities Become New CII Advisory Board Members
Seattle, LinuxCon/CloudOpen North America, August 18, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced it is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software.
The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII.
Virtually every industry and business leverages open source, and is therefore more interconnected and dependent on it than ever before. Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem for both seasoned CIOs and nimble developers. The self-assessment, and the badges that will follow, are designed to be a simple, fairly basic way for projects to showcase their commitment to security and quality. The criteria is also meant to encourage open source software (OSS) projects to take positive steps with both in mind and to help users know which projects are taking these positive steps.
Established in 2014 in response to the Heartbleed vulnerability, CII is a multi-million dollar project that funds and supports critical elements of the global information infrastructure. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices.
“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”
Projects that follow best practices can still have vulnerabilities, other bugs, and other kinds of problems, but they should be a better position to prevent, detect and fix them. For example, many practices suggest a multi-person review, which can help find otherwise hard-to-find vulnerabilities. Currently the criteria include general best practices combined with questions specific to security. The questionnaire asks if a project includes an OSS license; a public version-controlled source repository; a general mailing list; an automated regression test suite; and at least one static analysis tool applied to source code to look for vulnerabilities.
CII Adds Two New Advisory Board Members
Adam Shostack is a technologist, entrepreneur, author and game designer. He’s a member of the BlackHat Review Board and helped found the Common Vulnerabilities and Exposures (CVE) and many other things. He’s been sharing knowledge about developing secure software since 1996. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of Microsoft’s SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.” For more on Adam, see adam.shostack.org.
The second new CII advisory board member is Tom Ritter, Practice Director of Cryptography Services, part of NCC Group, where he performs application penetration testing and cryptographic analysis for multiple platforms and environments. He has spent several years leading application security assessments and research on everything from browsers to embedded cell towers, and before that worked as a developer in the financial services sector. Some of his public work can be seen at security conferences in Europe, North and South America and in managing NCC Group’s work with the Open Technology Fund and the Open Crypto Audit Project, comprising public reports on TrueCrypt, TorBrowser and several other applications. He is involved in IETF Working Groups for secure protocols, is a volunteer for the Tor Project, and works towards security, anonymity, and privacy on the Internet.
The CII also continues to provide funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.
The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.