core infrastructure initiative cii best practices badge 1
play

Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years - PowerPoint PPT Presentation

Sep 14, 2022 •316 likes •819 views

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler 2017-09-12 dwheeler @ ida.org Personal: dwheeler @

  1. Institute for Defense Analyses 4850 Mark Center Drive  Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler 2017-09-12 dwheeler @ ida.org Personal: dwheeler @ dwheeler.com, Twitter: drdavidawheeler GitHub & GitLab: david-a-wheeler https://www.dwheeler.com

  2. Background  It is not the case that “all OSS* is insecure” … or that “all OSS is secure”  Just like all other software, some OSS is (relatively) secure.. and some is not  Heartbleed vulnerability in OpenSSL  Demonstrated in 2014 that some widely-used OSS didn’t follow commonly-accepted practices & needed investment for security  Linux Foundation created Core Infrastructure Initiative (CII) in 2014  “to fund and support critical elements of the global information infrastructure”  “CII is transitioning from point fixes to holistic solutions for open source security” *OSS=Open source software 1

  3. CII Best Practices Badge  OSS tends to be more secure if it follows good security practices, undergoes peer review, etc.  How can we encourage good practices?  How can anyone know good practices are being followed?  Badging project approach:  Identified a set of best practices for OSS projects  For production of OSS (for license compliance , see OpenChain)  Based on existing materials & practices  Created web application: OSS projects self-certify  If OSS project meets criteria, it gets a badge (scales!)  No cost, & independent of size / products / services / programming language  Self-certification mitigated by automation, public display of answers (for criticism), LF spot-checks, LF can override 2

  4. BadgeApp: Home page To get your OSS project a badge, go to https://bestpractices.coreinfrastructure.org/ 3

  5. Criteria  Three badge levels (passing, silver, gold)  For higher levels, must meet previous level  Passing:  Captures what well-run projects typically already do  Not “they should do X, but no one does that”  66 criteria in 6 groups:  Basics  Change Control  Reporting  Quality Source:  Security https://github.com/coreinfrastructure/best-practices-badge/ blob/master/doc/criteria.md  Analysis 4

  6. Badge scoring system  To obtain a badge, all:  MUST and MUST NOT criteria (42/66) must be met  SHOULD (10/66) met, OR unmet with justification  Users can see those justifications & decide if that’s enough  SUGGESTED (14/66) considered (met or unmet)  People don’t like admitting they didn’t do something  In some cases, URL required in justification (to point to evidence; 8/66 require this) 5

  7. Initial announcement  General availability announced May 2016  Early badge holders:  BadgeApp (itself!)  Node.js  Linux kernel  curl  GitLab  OpenSSL (pre-Heartbleed missed 1/3 criteria)  Zephyr project Source: https://bestpractices.coreinfrastructure.org/projects 6

  8. Some major projects with a best practice badge 7

  9. CII badges are getting adopted! Over 1000 projects participating! All projects Projects with non- trivial progress Over 100 passing! Source: https://bestpractices.coreinfrastructure.org/project_stats 8 as of 2017-09-19

  10. Some newer badge holders (since 2017-02-08)  Kubernetes  LXC - linux containers  libpki  lxd (Linux container manager)  Ipsilon (ID provider)  Xen  phpMyAdmin  Viua virtual machine  flawfinder  Umoci (modify open  OWASP dependency- container images) check  Iroha (decentralized  collectd ledger)  Prometheus  Hyperledger Sawtooth (monitoring/alerting) Distributed Ledger  LibreNMS (network  Hyperledger Fabric monitoring) 13 September 2017 9

  11. Sample impacts of CII badge process (1 of 2)  OWASP ZAP (web app scanner)  Simon Bennetts: “[it] helped us improve ZAP quality… [it] helped us focus on [areas] that needed most improvement.”  Change: Significantly improved automated testing  CommonMark (Markdown in PHP) changes:  TLS for the website (& links from repository to it)  Publishing the process for reporting vulnerabilities  OPNFV (open network functions virtualization)  Change: Replaced no-longer-secure crypto algorithms  JSON for Modern C++  “I really appreciate some formalized quality assurance which even hobby projects can follow.”  Change: Added explicit mention how to privately report errors  Change: Added a static analysis check to continuous integration script Source: https://github.com/coreinfrastructure/best-practices-badge/wiki/Impacts 10

  12. Sample impacts of CII badge process (2 of 2)  BRL-CAD  Probably would have taken an hour uninterrupted, getting to 100% passing was relatively easy  Website certificate didn’t match our domain, fixed  POCO C++ Libraries  “... thank you for setting up the best practices site. It was really helpful for me in assessing the status…”  Updated the CONTRIBUTING.md file to include a statement on reporting security issues  Updated the instructions for preparing a release in the Wiki to include running clang-analyzer  Enabled HTTPS for the project website  GNU Make  HTTPS. Convinced Savannah to support HTTPS for repositories (it supported HTTPS for project home pages) Source: https://github.com/coreinfrastructure/best-practices-badge/wiki/Impacts 11

  13. Biggest challenges today for getting a badge  All projects 90%+ but not passing (2017-09-06)  74 projects. MUST with Unmet or “?” => Top 10 challenges: # Criterion %miss Old rank# 1 vulnerability_report_process 22% 2 Vulnerability reporting 2 sites_https_status 20% 3 Tests 3 tests_are_added 19% 1 4 vulnerability_report_private 15% 7 HTTPS 5 test_policy 14% 4 Analysis Document- 6 dynamic_analysis_fixed 14% 6 ation (old 7 know_common_errors 12% 8 #10) now #11 8 static_analysis 12% 5 This data is as of Know 2017-09-06 15:20ET; 9 know_secure_design 11% 9 old rank from secure 2017-02-06 10 delivery_unsigned 9% 15 development Generally same challenges as 2017-02-06! 12 More projects are adding tests (good), so tests are slightly less common a problem

  14. Tests  Criteria  #1 The project MUST have evidence that such tests are being added in the most recent major changes to the project. [tests_are_added]  #4 The project MUST have a general policy (formal or not) that as major new functionality is added, tests of that functionality SHOULD be added to an automated test suite. [test_policy]  Automated testing is important  Quality, supports rapid change, supports updating dependencies when vulnerability found  No coverage level required – just get started 13

  15. Vulnerability reporting  Criteria  #2 “The project MUST publish the process for reporting vulnerabilities on the project site.” [vulnerability_report_process]  #8 “If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private.” [vulnerability_report_private]  Just tell people how to report!  In principle easy to do – but often omitted  Projects need to decide how 14

  16. HTTPS  #3 “The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.” [sites_https]  Details:  You can get free certificates from Let's Encrypt.  Projects MAY implement this criterion using (for example) GitHub pages, GitLab pages, or SourceForge project pages.  If you are using GitHub pages with custom domains, you MAY use a content delivery network (CDN) as a proxy to support HTTPS.  We’ve been encouraging hosting systems to support HTTPS 15

  17. Analysis  #5 “At least one static code analysis tool MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language.” [static_analysis]  A static code analysis tool examines the software code (as source code, intermediate code, or executable) without executing it with specific inputs.  #6 “All medium and high severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.” [dynamic_analysis_fixed]  Early versions didn’t allow “N/A”; this has been fixed. 16

  18. Know secure development  Criteria  #8 “The project MUST have at least one primary developer who knows how to design secure software.” [know_secure_design]  #9 “At least one of the primary developers MUST know of common kinds of errors that lead to vulnerabilities in this kind of software, as well as at least one method to counter or mitigate each of them.” [know_common_errors]  Specific list of requirements given – doesn’t require “know everything”  Perhaps need short “intro” course material? 17

  19. Documentation  #10 “The project MUST include reference documentation that describes its external interface (both input and output).” [documentation_interface]  Some OSS projects have good documentation – but some do not 18

  20. Good news  Many criteria are widely met, e.g.:  Use of version control - repo_track  Process for submitting bug reports - report_process  No unpatched vulnerabilities of medium or high severity publicly known for more than 60 days - vulnerabilities_fixed_60_days 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler

Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler 2017-02-08 dwheeler @ ida.org Personal: dwheeler @

982 views • 42 slides
ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE

ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE

ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE THANKS BADGE Donna Smeland GSSC AWARD GSSC AWARD Debbie Crossman - SU#44 Marilyn Hall - SU#13 Maureen Hernandez - SU#25 Sheryl Hoffman - SU#46

1.1k views • 105 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES

ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES

ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES FOR HELPING ENGLISH LEARNERS SURPASS COMMON CORE STATE STANDARDS DAY 2 ALDNetwork.org

1.53k views • 88 slides
Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital

Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital

Office of the Independent Budget Analyst Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital Needs Presentation to the Infrastructure Committee March 18, 2013 Introduction During the Infrastructure

311 views • 15 slides
Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge

Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge

Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge on you and visible at all times. Refer to the back of your Contractor Badge for important phone numbers and the link for CSUs list of

415 views • 13 slides
BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and

BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and

BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and release the lower button. Rotating LED pattern in CW direction signifies that the unit is ON. SWITCH OFF: Press and release the lower button again.

558 views • 10 slides
What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation process? What is the Common Core? The Common Core State Standards Initiative is sponsored by the National Governors Association (NGA) and the Council of

567 views • 21 slides
World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore

World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore

World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore Scout Promise Scout Law Scout Salute Left Hand Shake Scout Uniform Badges History of Scouting It all started

725 views • 13 slides
PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann

PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann

Infrastructure at your Service. PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann Senior Consultant Open Infrastructure Technology Leader +41 79 927 24 46 daniel.westermann@dbi-services.com Page 2

947 views • 90 slides
Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New

Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New

Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New BBIS Jan 2019 Blue Badge Digital Service Hidden Disabilities Top Level Business Case The new criteria will extend eligibility to people who:

599 views • 12 slides
Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge.

Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge.

Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge. Finding a Counselor. Getting started. Merit Badge worksheets. Tracking Progress. Resources. What has changed, what

313 views • 12 slides
A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators

A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators

A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators (SAFIR) Infrastructure Regulation Issues and Challenges with focus on Ports and Airports 18 th November 2015 ASCI Hyderabad 1/6/2016 1 Strictly

1.05k views • 51 slides
YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we

YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we

IF YOU CANT IMAGINE IT YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we stand for? (Values) This Photo by Unknown Author is licensed under CC BY What do you want? How much does it cost?

556 views • 40 slides
Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

YouthMetre - Training Materials Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception Today, the sharing of practices is one of the first things to be carried out in a knowledge management initiative. The

213 views • 8 slides
Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know

Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know

Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know You must go through security every time you return to the building Return badge and lanyard before you leave In the event of emergency,

820 views • 59 slides
Contact Me Blog: http://c1.ms/richd @rj_dudley richd@componentone.com Microsoft

Contact Me Blog: http://c1.ms/richd @rj_dudley richd@componentone.com Microsoft

11/5/2011 LightSwitch Onramp Rich Dudley Technical Evangelist Contact Me Blog: http://c1.ms/richd @rj_dudley richd@componentone.com Microsoft Azure: Enterprise Application Development http://bit.ly/msazurebook 1 11/5/2011

518 views • 7 slides
2019 NYCC Product Owner Vanessa Stokes Head of Customer Services Sarah Foley Blue Badge

2019 NYCC Product Owner Vanessa Stokes Head of Customer Services Sarah Foley Blue Badge

Blue Badge - Hidden Disabilities - August 2019 NYCC Product Owner Vanessa Stokes Head of Customer Services Sarah Foley Blue Badge Whats changing? From 30 August, people with hidden disabilities will be granted access to the Blue

429 views • 6 slides
Blue Badge Processing and Assessments Hannah Buckley Operations Supervisor Kent County Council

Blue Badge Processing and Assessments Hannah Buckley Operations Supervisor Kent County Council

Digitally Transforming Blue Badge Processing and Assessments Hannah Buckley Operations Supervisor Kent County Council Where did Kent Start? In January 2018: Just hitting 50% digital take-up 4 stage assessment process, all paper

567 views • 17 slides
Blue Badge Digital Service Daniel Fyfield | Service Owner Thank you The new criteria (England

Blue Badge Digital Service Daniel Fyfield | Service Owner Thank you The new criteria (England

Blue Badge Digital Service Daniel Fyfield | Service Owner Thank you The new criteria (England only) Extends eligibility explicitly to include people with an enduring (ongoing) and substantial disability which causes them, during the course of

350 views • 18 slides
WSP PHASE 1 RE-CAP Town Centre Study Outputs o Improving Connectivity and Gateway o Bus Stops

WSP PHASE 1 RE-CAP Town Centre Study Outputs o Improving Connectivity and Gateway o Bus Stops

WSP PHASE 1 RE-CAP Town Centre Study Outputs o Improving Connectivity and Gateway o Bus Stops On-Street and Congestion Relief o Green Walk and Cultural and Active Route o Pedestrian Priority Routes & Cycleway o Safer and Pedestrian-Friendly

311 views • 7 slides
SWERC2017 Opening Ceremony November 25-26 th 2017, Paris 1 Welcome Word Antoine Amarilli

SWERC2017 Opening Ceremony November 25-26 th 2017, Paris 1 Welcome Word Antoine Amarilli

SWERC2017 Opening Ceremony November 25-26 th 2017, Paris 1 Welcome Word Antoine Amarilli Contest Director 2 Guest Speeches Welcome Address from the Organizing Institution Head Guest Speaker, Yves Poilane , Director of T el ecom

580 views • 33 slides
SC Beta Ring Ching Pi Beta Phi was founded as I.C. Sorosis in 1867 at Monmouth College as

SC Beta Ring Ching Pi Beta Phi was founded as I.C. Sorosis in 1867 at Monmouth College as

SC Beta Ring Ching Pi Beta Phi was founded as I.C. Sorosis in 1867 at Monmouth College as the First Fraternity for Women. Official Symbol: Arrow Pi Beta Phi has 131 Collegiate Chapters Unofficial Symbol: Angel

688 views • 6 slides
Southwold Enterprise Hub DEVELOPMENT PLANS 11 NOVEMBER 2019 Southwold Background Station

Southwold Enterprise Hub DEVELOPMENT PLANS 11 NOVEMBER 2019 Southwold Background Station

Southwold Enterprise Hub DEVELOPMENT PLANS 11 NOVEMBER 2019 Southwold Background Station Yard development over 20 Enterprise Hub years Existing services what happens to the existing services needed by the community? Slides from

967 views • 45 slides

More recommend