Organizations have plenty of choices when looking at open source software, but the challenge lies in picking the right project to fit their needs. The CII Best Practices Badge program from the Linux Foundation's Core Infrastructure Initiative is intended to help organizations evaluate open source technologies based on security, quality, and stability.
Businesses increasingly rely on open source software, but they usually don't have a way to tell if developers are following secure coding practices, how they handle vulnerabilities and security updates, or how stable the software is. The CII Best Practices Badge program gives businesses answers to these questions.
"Giving people information about how the code is produced is much more valuable than saying, 'This specific version is secure,'" said Nicko van Someren, CTO of Linux Foundation.
The CII Best Practices Badge program does not designate specific products or software versions as being secure or free of vulnerabilities. Instead, the program asks open source project owners to provide information about how their projects are managed and how the software is being developed. Projects that pass -- are following best practices -- receive a badge to display on GitHub and elsewhere.
Consider the program as open source software's equivalent to a LEED (Leadership in Energy & Environmental Design) certification, said Someren, referring to the certification program that indicates a project is following best practices for green buildings. If a building has LEED designation, that means the builders followed a set of green practices such as water savings, energy efficiency, and indoor environmental quality. Similarly, if an open source project earns a Best Practices Badge that means the developers behind the project meet CII's guidelines for security.
"We aren't focusing on specific versions of the software or products, but on the process being followed to develop the project," Someren said. "The badge indicates the project owners provided us proof that they are following best practices."
Inaugural badge holders include OpenSSL, Curl, GitLab, the Linux kernel, OpenBlox, Node.js, and Zephyr. CII's website has a searchable directory of open source projects that indicates whether they "pass" or "fail" CII best practices. Projects will have to renew their qualifications on an ongoing basis to ensure they continue to receive pass ratings.
Someren said OpenSSL is a good example of how a project can address issues with how it is being managed and improve its model. In 2014, when the Heartbleed vulnerability was disclosed, OpenSSL would have failed to meet more than a third of CII's requirements. Now, OpenSSL's current status is "passing" with no reported security issues.
Open source project owners can sign up for the badging program and learn more about the criteria on the CII Best Practices page.
Sign up for CIO Asia eNewsletters.