The Linux Foundation says a new Core Infrastructure Initiative (CII) Best Practices Badge program launched Tuesday will help companies interested in adopting open source technologies evaluate projects based on security, quality and stability. The CII Best Practices Badge does not issue certificates nor validate open source projects. Instead, CII is a platform for open source projects such as OpenSSL, Node.js, and GitLab to self-disclose critical aspects of their projects.
Linux Foundation’s CTO Nicko van Someren told Threatpost the badge program is a first of its kind for the open source community and offers a free alternative to costly commercial offerings by companies such as Corsec Security and its Common Criteria certification that can cost upwards of $100,000. “Outwardly, this is a great way for project developers to be more transparent and methodical about how their solutions meet agreed upon software benchmarks,” Someren said. A CII Best Practices Badge, he said, removes doubt when it comes to understanding if an open source project is secure or stable enough for real-time adoption within businesses. The CII badge program will be equally useful for open source developers, Someren said. “Developers will be able to use this program to educate on security best practices and provide a directory for developers and CIOs to understand what projects have an understanding and methodology that focuses on security,” he said. The Linux Foundation has already announced inaugural badge holders that include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr. The CII website will act as a searchable repository for open source projects allowing you to easily find a project and see if it is “passing” or “failing” to meet CII best practices. For example, an OpenSSL CII badge entry before the Heartbleed vulnerability was patched, would have been “failing.” OpenSSL users can see from the OpenSSL CII website entry that includes basic, quality and security information about the project’s status. The CII online badge entries will red-flag issues until the project developers fix the problems. OpenSSL’s current status is “passing” with no reported security issues. Someren said if this type of best practices badge would have existed prior to the massive Heartbleed outbreak, it could have possibly been avoided. “Better internal and external oversight of open source projects can only be beneficial when it comes to security and reliability,” he said. Core Infrastructure Initiative was created in April 2014 in the wake of Heartbleed. CII is made up of a group of leading IT companies that work together to identify critical open source projects and help fund them. Someren stresses that the CII Best Practices Badge program is also an open project. “If you don’t like the criteria, you are part of the community and can change it,” he said. Project leaders themselves will be responsible for self-reporting. Program backers say a unifying open source badge program is needed as a growing number of source projects are being adopted by the likes of Facebook, Microsoft and Google for critical infrastructure – such as OpenSSL. 0