- This ultraportable Asus laptop gives the M4 MacBook Air a run for its money - and it looks great
- I replaced my iPhone 16 Pro with the 16e for a week - here's my buying advice now
- I tested a Windows PC that outdoes the M4 Mac Mini in several ways - and it's on sale
- This portable Bluetooth speaker delivers room-filling sound at an extraordinarily low price
- Want to win in the age of AI? You can either build it or build your business with it
OpenSSF Publishes Security Framework for Open Source Software
The Open Source Security Foundation (OpenSSF) has claimed a “significant milestone” after releasing a new set of best practices designed to improve the security posture of open source projects.
The Open Source Project Security (OSPS) Baseline outlines the various tasks, processes, artifacts and configurations that developers need to put in place to mitigate risk, enhance trust and improve compliance with global regulations like the EU’s Cyber Resilience Act (CRA).
It is also aligned with other best practice standards and frameworks like the NIST Secure Software Development Framework (SSDF), the OpenSSF said.
The OSPS Baseline was compiled from existing best practice guidance provided by the OpenSSF and other industry groups, and offers a “tiered framework” of activities that will vary depending on the maturity of the project.
Read more on open source security: Open Source Repository Attacks Soar 700% in Three Years.
Independent open source community manager, Stacey Potter, said the initiative has benefitted from feedback during the pilot rollout.
“We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project,” she added. “Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone.”
Ben Cotton, open source community lead at Kusari and OSPS Baseline co-maintainer, said the focus is on providing “actionable, practical guidance” to help developers improve security posture.
“Too often, security advice is vague or impractical, but Baseline aims to change that,” he argued. “Every improvement to open source security strengthens the modern software ecosystem, making it safer for everyone.”
A Cautious Welcome
Jamie Scott, founding product manager at Endor Labs, gave the initiative a cautious welcome, but argued that smaller projects can not be expected to follow the guidelines.
“The OpenSSF security baseline is a double-edged sword for the industry. It has the potential to push us forward or hold us back. The key is how we use it,” he argued.
“What is reasonable is making maturity levels visible so the private sector can make informed risk management decisions. That’s how we make these baselines a meaningful symbol of open source project maturity.”
Mike McGuire, senior manager at Black Duck, said the OSPS Baseline should help to mitigate software supply chain risks.
“Initiatives like access control, vulnerability management and branch protection lock down the common paths attackers use to take over a legitimate project and plant the seeds for a supply chain attack,” he said.
“However, no matter what is done by project owners, no commercial application will be made any more secure if development organizations don’t invest more in managing the open source they leverage. If development organizations aren’t tracking the open source projects that they leverage and are not evaluating them for risk or their adherence to frameworks like the OSPS Baseline, then they will continue to struggle with lingering vulnerabilities.”
