In May of last year the CII launched its Best Practice Badge program. Our goal was to raise awareness of development processes and project governance steps that will help projects have better security outcomes. By giving project maintainers a list of actionable items that will know improve security, teaching them why these steps lead to improvement and showing them how to implement them, we can raise security standards and help projects get better at delivering secure products. By offering a visual “badge” we can make it easier for consumers of open source projects to see which projects take security seriously. More recently, in June of this year, we added new Silver and Gold levels to the badges, to allow projects that make further efforts to drive security improvements to show off their commitment.
We recently issued our 100th Badge to a passing project. A few days later, we had our 1,000th project sign up for the Best Practice Badge program. Our goal for the Best Practice Badge is to be a recognisable mark of commitment to security by projects. For for any mark to gain recognition, it needs to be used and on display. In light of that fact, we are delighted that the Best Practice Badge recently passed these two major adoption milestones.
Some people have questioned why the pass rate is only 10 percent. The fraction of projects getting a badge has been fairly stable for a while, even as the number of registered projects continues to grow, as can be seen from the project statistics page. When we set up the program it was very much our intent that this should not be some “rubber stamp” process but that projects would need to work to get their badge. To date nearly every project has had to make some improvement in order to achieve a badge, which indicates that the program is actually moving the needle on Open Source Security.
Several projects have given us feedback on the badging process and there are several topics that came up over and over again. Common issues that often need to be fixed include:
not supporting a secure way to access the project web site (or not having a valid certificate for the site),
not performing automated testing,
not performing any sort of code analysis;
and not having a publicly documented process for reporting security vulnerabilities.
Other important changes projects have made as a result of going through the badge process include:
removing insecure cryptographic algorithms,
adding unique version numbers for each release,
documenting release notes and the contribution process, and
including coding style guidelines for contributions.
History shows that these sorts of steps can improve the security outcomes for projects so we are delighted that all of the passing projects are now taking these steps.
On to Silver and Gold
As well as the huge progress we have made with getting projects to a “passing grade,” the CII Best Practice Badge program recently launched its enhanced Silver and Gold badges. These higher level badges add a number of extra criteria on top of the passing level and make mandatory some of the criteria that are recommended at the lower levels. These higher levels of give our passing projects some new stretch goals to which they can aspire.
Today we are delighted to announce that now not only do the the higher level badges bring glory and fame but prizes as well! The maintainers who complete the Silver badge process of the first 50 projects will each receive a bag of Linux Foundation and CII branded swag (probably a hoodie, t-shirt and some other stuff; we’ve not quite pinned the details down yet). Furthermore, each maintainer who completes the badge process of the first 5 projects to have a Gold badge validated will be invited to attend the Linux Foundation-organised conference of their choice, along with an invitation to present at that conference on how their project runs their Secure Development Life Cycle process. Don’t worry if you’re too shy to get up on stage; presenting isn’t obligatory but we really do want successful projects to share their experiences so that other projects can learn from your experiences.
On to the 10,000 projects and 1,000 badges! Woohoo!