The Best Practices Program is an open source secure development maturity model. Projects having a CII badge will showcase the project’s commitment to security. Open source project maintainers answer a short questionnaire to be awarded a “Best Practices Badge”. The CII Best Practices Badge is inspired by the multitude of badges available to projects on Github. Examples of initial criteria include basic open source development practices (website, open source license, and user engagement), use of change control tools, attention to quality (automated test suite), and focus on security (secure project delivery method, use of dynamic and static analysis tools, as appropriate for the project). Consumers of the badge will be able to quickly assess which open source projects care about security-conscious development. The goal of the first release of the criteria is to codify existing practices used by open source projects big and small. This discussion is ongoing and you are invited to make your voice heard.
Review the criteria and submit pull requests or file issues for areas where you would like to see refinement. You may provide feedback about the criteria on the cii-badges mailing list.
The CII has been replaced by the Open Source Security Foundation (OpenSSF). In particular, the CII Best Practices badge work continues as part of the OpenSSF Best Practices Working Group.
