Free Badge Program Signals What Open Source Projects Meet Criteria for Security, Quality and Stability
SAN FRANCISCO, CA--(Marketwired - May 03, 2016) - The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects, today announced the general availability and issuance of its first round of CII Best Practices Badges. Early badge earners include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr.
This is a free program that seeks to determine security, quality and stability of open source software. The CII Best Practices online app enables developers to quickly determine whether they are following best practices and to receive a badge they can display on GitHub and other online properties when they pass. The app and its criteria are an open source project to which developers can contribute.
The latest round of badges includes an assessment of OpenSSL, the open source software responsible for most encryption on the Internet, both before the Heartbleed vulnerability and after it received support from CII. Prior to Heartbleed, OpenSSl failed to meet more than one-third of the CII Best Practices Badge criteria. Today it meets 100 percent. This helps demonstrate how far OpenSSL has come with the support of the industry and how the CII Best Practices Badges can signal failing or passing scores. To review the open source projects that have received their badges and other projects in process, please visit: https://bestpractices.coreinfrastructure.org/projects
"Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they're always improving," said Nicko van Sommeren, CTO at The Linux Foundation. "Thanks to the generous contributions by the Core Infrastructure Initiative supporters we're able to provide this program to educate developers on security best practices and provide a directory for developers and CIOs to understand what projects have an understanding and methodology that focuses on security."
Determining the security of software is an industry-wide challenge for both proprietary and open source software. As the role of open source software has increased in supporting the world's most critical infrastructure it has become essential to both understand the best practices for security, quality and stability of this code and to be able to validate that criteria.