The Linux Foundation Core Infrastructure Initiative’s badging program matures, as the first projects to achieve security badges are announced.
InfoWorld writer Fahmida Y. Rashid interviews Nicko van Someren, chief technology officer of The Linux Foundation about The Core Infrastructure Initiative’s Best Practices Badge program.
Businesses increasingly rely on open source software, but they usually don’t have a way to tell if developers are following secure coding practices, how they handle vulnerabilities and security updates, or how stable the software is. The CII Best Practices Badge program gives businesses answers to these questions.
Eduard Kovacs provides a list of projects that received badges as part of its best practices program so far.
The list of projects that earned badges so far includes Node.js, the Linux kernel, GitLab, OpenSSL, Curl, OpenBlox, the Zephyr Project, and Syncthing. Tens of other open source apps are in the process of getting certified.
The Linux Foundation’s chief technology officer Nicko van Someren explains the importance of a unifying open source badge program.
Swapnil Bhartiya provides an overview of the CII Best Practices Badges Progam.
While open source projects boast of being more secure compared to proprietary solutions, the fact is not every project has resources or mechanism to ensure security. In many cases there are not enough eyeballs to render all bugs shallow.
CII enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects.
Read more at CIO.
ZDNet covers the release of the first round of CII Best Practices badges as part of a program designed to improve the quality and security of open-source software.
Marion Nester of Softpedia covers the basics of CII Best Practices Badges Program.
Dubbed CII Best Practices Badges, the free badge program has been created by Linux Foundation’s Core Infrastructure Initiative (CII) project. Its main goal is determining the security, stability, and quality and various open source software projects, and among the first to earn these badges are the well-known Linux kernel, OpenSSL, Node.js, GitLab, cURL, Zephyr, and OpenBlox.
SecurityWeek has published an article by CII’s Emily Ratliff called No Exit: The Case for Moving Security Information Front and Center.
The top 4 were picked for brevity for this article, but I encourage you to compare the full lists for greater impact. With this in mind, the similarities between the two lists released 13 years apart are startling and humbling.
Read more at SecurityWeek.
SecurityWeek has published an article by CII’s Emily Ratliff called Establishing Correspondence Between an Application and its Source Code.
Soon it will be possible to enroll the signed hashes from the package management system as IMA attributes during the installation process. Then, if you configure your system to be IMA enforcing, you will know that every running application came from your trusted distribution.
If your trusted distribution uses reproducible builds, then you will be able directly trace the chain of integrity of the executing process back to the original code and know that the code has not been subverted during delivery.
Read more at SecurityWeek.
Klint Finley mentions CII in an article for Wired about the problems monetizing open source development efforts, called One Startup’s Heretical Plan to Turn Open Source Code Into Cash.
Non-profit organizations like the Linux Foundation have stepped in to help fund a growing number of projects in recent years. For example, the Linux Foundation started the Core Infrastructure Initiative to help fund OpenSSL and other crucial but obscure open source projects.
Read more at Wired.