It’s surprising to no one that most companies use open source software to fuel some part of their tech stack. However, when we say “most,” we mean 95-97% by most estimates. That’s an astonishing statistic in a world where the tech options are truly vast and varied. This makes open source security a critical piece of keeping assets safe.
See also: Future Proofing Your Data Strategy with a Multi-Tech Platform
As a response to this continued trend, the Open Source Security Foundation has released the Open Source Project Security Baseline (OSPS). It’s a framework to help guide the implementation of best practices in security for open source projects. This baseline offers a structured approach to securing open-source software, addressing the unique challenges posed by the collaborative and transparent nature of open-source development. By setting clear security standards, the OSPS Baseline hopes to foster safer ecosystems while maintaining the collaborative nature of open source.
Why this benchmark?
OSPS Baseline is a structured set of security requirements designed to enhance the security of open source projects. It provides guidance on implementing a minimum set of best practices to reduce vulnerabilities and improve a project’s trustworthiness.
The OSPS Baseline is organized into three maturity levels to accommodate projects of different scales and complexities. Maturity Level 1 is suitable for any project, regardless of size or number of maintainers, and sets a basic “universal security floor.” Maturity Level 2 targets projects with at least two maintainers and some consistent users. Finally, Maturity Level 3 is intended for projects with a large regular user base, focusing on more rigorous security measures.
Key aspects covered by the OSPS Baseline include access control, build and release practices, documentation standards, and vulnerability management. The framework then evolves along with the projects it supports. As a result, security practices remain relevant as project needs and external conditions change. Moreover, by aligning with international cybersecurity frameworks and regulations, such as the EU Cyber Resilience Act and the U.S. NIST Secure Software Development Framework, the OSPS Baseline helps maintainers improve compliance with regulatory requirements.
Securing open source without stifling it
Companies want to continue to use and contribute to open source solutions. Working with open source is a viable route as cybersecurity becomes more complex.
Here are some key reasons for its launch:
- Growing Dependence on Open Source Software: Open source projects are integral to many commercial products and government systems, making their security a high priority for many stakeholders.
- Standardizing Security Practices: The OSPS Baseline provides a standard set of practices that are practical and adaptable across various open source projects, regardless of their size or the sector in which they operate. This helps maintainers adopt a consistent approach to securing their software.
- Enhancing Trust: By adhering to the baseline, open source projects can signal to users and contributors that they take security seriously, which can strengthen trust and encourage wider adoption and contribution.
- Regulatory Compliance: The baseline aligns with international cybersecurity frameworks and regulations, such as the EU Cyber Resilience Act and the U.S. National Institute of Standards and Technology’s Secure Software Development Framework. This alignment helps projects meet regulatory requirements and prepare for future regulations.
- Community Collaboration and Improvement: The baseline is maintained through community collaboration, allowing a wide range of stakeholders, including developers, maintainers, and industry experts, to contribute to and refine security practices. This collaborative approach helps ensure that the baseline evolves in response to new security challenges and technological advances.
Designed to complement other protocols
The integration of the Open Source Project Security Baseline (OSPS Baseline) with existing security protocols is crucial for organizations that rely heavily on open source software. This baseline does not exist in isolation; instead, it works alongside other established security standards to provide a comprehensive security strategy. For organizations already implementing ISO/IEC 27001 or the NIST Cybersecurity Framework, the OSPS Baseline adds a layer of security specifically tailored to the nuances of open source projects. This targeted approach helps address potential gaps that generic security protocols might overlook, especially in open source contributions and maintenance.
By aligning the OSPS Baseline with other protocols, organizations can ensure a more holistic approach to cybersecurity. This integration helps achieve better compliance with international standards and fosters a strong security culture spanning all aspects of software development, including open source. Moreover, for projects that must adhere to stringent regulatory requirements, combining these frameworks ensures organizations. cover all bases, including general data protection and specific open-source vulnerabilities.
Building better open source
The Open Source Project Security Baseline marks a significant advancement in how we secure open source software. The OSPS Baseline addresses the need for security benchmarks by providing structured, scalable guidelines that grow with the project. This ensures that as open source software evolves, it remains trustworthy and compliant with global standards. As we move forward, the continued refinement and adoption of the OSPS Baseline will be pivotal in shaping a safer open source community for everyone involved.
Elizabeth Wallace is a Nashville-based freelance writer with a soft spot for data science and AI and a background in linguistics. She spent 13 years teaching language in higher ed and now helps startups and other organizations explain – clearly – what it is they do.
