Organizations that rely on open source software can use the badges to identify projects which follow a security-focused methodology. Developers benefit from taking part in the CII Best Practices Badge program because they can quickly find out if their projects meet open source best practices. And if they fall short of badging requirements, they get feedback on what to fix.
"Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they're always improving," said Someren.
The Linux Foundation backed the Core Infrastructure Initiative in April 2014 after the disclosure of Heartbleed vulnerability in OpenSSL. Many open source projects considered critical to the global infrastructure turned out to not have a lot of dedicated resources necessary to maintain and improve the software. CII provides funds and other types of support for those open source projects.
Like any open source initiative, the badge program needs the developer community to be involved. The program is led by David A. Wheeler, an open source and security research expert with the Institute for Defense Analyses (IDA), and Dan Kohn, a CII senior advisor. Even though the best practices developed by IDA aren't aligned against a specific framework or standard, there was a consensus on what should be included in the set, Someren said. And in cases where things don't quite match up, developers are encouraged to provide input so the program includes the most relevant criteria.
"The list of best practices should reflect what the community thinks," Someren said. "Go to Github and collaborate on the best practices list."
As more and more organizations rely on open source software, there are a lot of concerns about security. Much of the attention thus far has been on static and dynamic analysis - to uncover security vulnerabilities in code - and ensuring that developers use secure third-party libraries and components when writing code. Recently, the Underwriters Laboratories (UL) announced a Cybersecurity Assurance Program to test network-connected products for software vulnerabilities. Its badging program approaches software security from a different angle.
"Everyone is working towards the same goal, but everyone has a different approach," Someren said. "More information is always better."
Sign up for CIO Asia eNewsletters.