core infrastructure initiative cii best practices badge
play

Core Infrastructure Initiative (CII) Best Practices Badge: One Year - PowerPoint PPT Presentation

May 13, 2023 •549 likes •982 views

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler 2017-02-08 dwheeler @ ida.org Personal: dwheeler @

  1. Institute for Defense Analyses 4850 Mark Center Drive  Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler 2017-02-08 dwheeler @ ida.org Personal: dwheeler @ dwheeler.com, Twitter: drdavidawheeler GitHub & GitLab: david-a-wheeler https://www.dwheeler.com

  2. Background  It is not the case that “all OSS* is insecure” … or that “all OSS is secure”  Just like all other software, some OSS is (relatively) secure.. and some is not  Heartbleed vulnerability in OpenSSL  Demonstrated in 2014 that some widely-used OSS didn’t follow commonly-accepted practices & needed investment for security  Linux Foundation created Core Infrastructure Initiative (CII) in 2014  “to fund and support critical elements of the global information infrastructure”  “CII is transitioning from point fixes to holistic solutions for open source security” *OSS=Open source software 1

  3. CII Best Practices Badge  OSS tends to be more secure if it follows good security practices, undergoes peer review, etc.  How can we encourage good practices?  How can anyone know good practices are being followed?  Badging project approach:  Identified a set of best practices for OSS projects  Best practices is for OSS projects ( production side)  Based on existing materials & practices  Created web application: OSS projects self-certify  If OSS project meets criteria, it gets a badge (scales!)  No cost, & independent of size / products / services / programming language  Self-certification mitigated by automation, public display of answers (for criticism), LF spot-checks, LF can override 2

  4. BadgeApp: Home page To get your OSS project a badge, go to https://bestpractices.coreinfrastructure.org/ 3

  5. Criteria  Currently one level (“passing”)  Captures what well-run projects typically already do  Not “they should do X, but no one does that”  66 criteria in 6 groups:  Basics  Change Control  Reporting  Quality  Security Source:  Analysis https://github.com/linuxfoundation/cii-best-practices-badge/ blob/master/doc/criteria.md 4

  6. Badge scoring system  To obtain a badge, all:  MUST and MUST NOT criteria (42/66) must be met  SHOULD (10/66) met, OR unmet with justification  Users can see those justifications & decide if that’s enough  SUGGESTED (14/66) considered (met or unmet)  People don’t like admitting they didn’t do something  In some cases, URL required in justification (to point to evidence; 8/66 require this) 5

  7. Initial announcement  General availability announced May 2016  Early badge holders:  BadgeApp (itself!)  Node.js  Linux kernel  curl  GitLab  OpenSSL (pre-Heartbleed missed 1/3 criteria)  Zephyr project Source: https://bestpractices.coreinfrastructure.org/projects 6

  8. CII badges are getting adopted! All Over 500! projects Projects with non- trivial progress Daily activity Source: https://bestpractices.coreinfrastructure.org/project_stats 7 as of 2017-02-06

  9. Some additional badge holders  CommonMark  OPNFV (open network (Markdown in PHP) functions virtualization)  Apache Libcloud  JSON for Modern C++  Apache Syncope  NTPsec  GnuPG  LibreOffice  phpMyAdmin  OpenUnison  pkgsrc  sqrl-server-base  openstack  Blender  OWASP ZAP (web app  dpkg scanner)  libseccomp 60 “passing” badges as of 2017-02-08 8 Source: https://bestpractices.coreinfrastructure.org/projects?gteq=100&sort=achieved_passing_at

  10. Sample impacts of CII badge process  OWASP ZAP (web app scanner)  Simon Bennetts: “[it] helped us improve ZAP quality… [it] helped us focus on [areas] that needed most improvement.”  Change: Significantly improved automated testing  CommonMark (Markdown in PHP) changes:  TLS for the website (& links from repository to it)  Publishing the process for reporting vulnerabilities  OPNFV (open network functions virtualization)  Change: Replaced no-longer-secure crypto algorithms  JSON for Modern C++  “I really appreciate some formalized quality assurance which even hobby projects can follow.”  Change: Added explicit mention how to privately report errors  Change: Added a static analysis check to continuous integration script Source: https://github.com/linuxfoundation/cii-best-practices-badge/wiki/Impacts 9

  11. Biggest challenges today for getting a badge  Looked at all projects 90%+ but not passing  52 projects. MUST with Unmet or “?” => Top 10 challenges: # Criterion %missed 1 tests_are_added 25% Vulnerability reporting 2 vulnerability_report_process 23% Tests 3 sites_https 17% 4 test_policy 15% HTTPS 5 static_analysis 15% Analysis 6 dynamic_analysis_fixed 15% 7 vulnerability_report_private 13% Document- 8 know_common_errors 12% ation Know 9 know_secure_design 10% secure This data is as of 10 documentation_interface 8% development 2017-02-06 12:20ET Changing to 75%+ (81 projects) top 10 list has a slightly different order but the set is the same, 10 except that 75%+ adds warnings_fixed as its #10 & know_common_errors moves #8  #11

  12. Tests  Criteria  #1 The project MUST have evidence that such tests are being added in the most recent major changes to the project. [tests_are_added]  #4 The project MUST have a general policy (formal or not) that as major new functionality is added, tests of that functionality SHOULD be added to an automated test suite. [test_policy]  Automated testing is important  Quality, supports rapid change, supports updating dependencies when vulnerability found  No coverage level required – just get started 11

  13. Vulnerability reporting  Criteria  #2 “The project MUST publish the process for reporting vulnerabilities on the project site.” [vulnerability_report_process]  #8 “If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private.” [vulnerability_report_private]  Just tell people how to report!  In principle easy to do – but often omitted  Projects need to decide how 12

  14. HTTPS  #3 “The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.” [sites_https]  Details:  You can get free certificates from Let's Encrypt.  Projects MAY implement this criterion using (for example) GitHub pages, GitLab pages, or SourceForge project pages.  If you are using GitHub pages with custom domains, you MAY use a content delivery network (CDN) as a proxy to support HTTPS.  We’ve been encouraging hosting systems to support HTTPS 13

  15. Analysis  #5 “At least one static code analysis tool MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language.” [static_analysis]  A static code analysis tool examines the software code (as source code, intermediate code, or executable) without executing it with specific inputs.  #6 “All medium and high severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.” [dynamic_analysis_fixed]  Early versions didn’t allow “N/A”; this has been fixed. 14

  16. Know secure development  Criteria  #8 “The project MUST have at least one primary developer who knows how to design secure software.” [know_secure_design]  #9 “At least one of the primary developers MUST know of common kinds of errors that lead to vulnerabilities in this kind of software, as well as at least one method to counter or mitigate each of them.” [know_common_errors]  Specific list of requirements given – doesn’t require “know everything”  Perhaps need short “intro” course material? 15

  17. Documentation  #10 “The project MUST include reference documentation that describes its external interface (both input and output).” [documentation_interface]  Some OSS projects have good documentation – but some do not 16

  18. Good news  Many criteria are widely met, e.g.:  Use of version control - repo_track  Process for submitting bug reports - report_process  No unpatched vulnerabilities of medium or high severity publicly known for more than 60 days - vulnerabilities_fixed_60_days 17

  19. Higher-level criteria  Have developed draft criteria for higher-level badges  Current names: “passing+1” and “passing+2”  Passing+2 expected to be harder and not necessarily achievable by single-person projects  Merged from proposals, NYC 2016 brainstorm, OW2, Apache maturity model  Expect to drop/add criteria due to feedback  ANNOUNCING: It’s available for feedback:  https://github.com/linuxfoundation/cii-best-practices- badge/blob/master/doc/other.md  We’d love your feedback! 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler

Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler 2017-09-12 dwheeler @ ida.org Personal: dwheeler @

819 views • 50 slides
ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE

ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE

ADULT AWARDS 2018 50 & FABULOUS THANKS II BADGE THANKS II BADGE Yvonne Grant THANKS BADGE THANKS BADGE Donna Smeland GSSC AWARD GSSC AWARD Debbie Crossman - SU#44 Marilyn Hall - SU#13 Maureen Hernandez - SU#25 Sheryl Hoffman - SU#46

1.1k views • 105 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES

ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES

ACADEMIC LANGUAGE AND LITERACY IN EVERY SUBJECT: CORE PRACTICES FOR HELPING ENGLISH LEARNERS SURPASS COMMON CORE STATE STANDARDS DAY 2 ALDNetwork.org

1.53k views • 88 slides
Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital

Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital

Office of the Independent Budget Analyst Asset Management: Citywide Practices for Maintaining Infrastructure and Identifying Capital Needs Presentation to the Infrastructure Committee March 18, 2013 Introduction During the Infrastructure

311 views • 15 slides
Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge

Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge

Contractor Orientation Basics Know your CSU Point of Contact. Keep your Contractor Badge on you and visible at all times. Refer to the back of your Contractor Badge for important phone numbers and the link for CSUs list of

415 views • 13 slides
BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and

BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and

BalCCon 2K16 Badge Instructions for use and schematic diagram 1. Badge SWITCH ON: Press and release the lower button. Rotating LED pattern in CW direction signifies that the unit is ON. SWITCH OFF: Press and release the lower button again.

558 views • 10 slides
What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation process? What is the Common Core? The Common Core State Standards Initiative is sponsored by the National Governors Association (NGA) and the Council of

567 views • 21 slides
World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore

World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore

World Scout Badge World Scout Badge History of Scouting History of Scouting in Singapore Scout Promise Scout Law Scout Salute Left Hand Shake Scout Uniform Badges History of Scouting It all started

725 views • 13 slides
PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann

PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann

Infrastructure at your Service. PostgreSQL upgrade best practices Infrastructure at your Service. About me Daniel Westermann Senior Consultant Open Infrastructure Technology Leader +41 79 927 24 46 daniel.westermann@dbi-services.com Page 2

947 views • 90 slides
Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New

Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New

Blue Badge Changes / Solutions Andy Sandford Founder Marcus Devaney Product Designer Old New BBIS Jan 2019 Blue Badge Digital Service Hidden Disabilities Top Level Business Case The new criteria will extend eligibility to people who:

599 views • 12 slides
Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge.

Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge.

Merit Badges and Social Distancing What has changed, what has not? Picking a Merit Badge. Finding a Counselor. Getting started. Merit Badge worksheets. Tracking Progress. Resources. What has changed, what

313 views • 12 slides
A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators

A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators

A PTC India Presentation 15th Core Course of South Asia Forum of Infrastructure Regulators (SAFIR) Infrastructure Regulation Issues and Challenges with focus on Ports and Airports 18 th November 2015 ASCI Hyderabad 1/6/2016 1 Strictly

1.05k views • 51 slides
YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we

YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we

IF YOU CANT IMAGINE IT YOU CANT DO IT JFK What do we live for? (Badge) What do we strive for? (Goals) What do we stand for? (Values) This Photo by Unknown Author is licensed under CC BY What do you want? How much does it cost?

556 views • 40 slides
Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

YouthMetre - Training Materials Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception Today, the sharing of practices is one of the first things to be carried out in a knowledge management initiative. The

213 views • 8 slides
Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know

Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know

Introduction Mamie Kresses Attorney FTC Division of Advertising Practices Things to Know You must go through security every time you return to the building Return badge and lanyard before you leave In the event of emergency,

820 views • 59 slides
Multifractal analysis of arithmetic functions St ephane Jaffard Universit e Paris Est

Multifractal analysis of arithmetic functions St ephane Jaffard Universit e Paris Est

Multifractal analysis of arithmetic functions St ephane Jaffard Universit e Paris Est (France) Collaborators: Arnaud Durand Universit e Paris Sud Orsay Samuel Nicolay Universit e de Li` ege International Conference on Advances on

580 views • 46 slides
KNL KNL KNL KNL KNL KNL KNL Example code: Check available memory [Xajacks@eln4

KNL KNL KNL KNL KNL KNL KNL Example code: Check available memory [Xajacks@eln4

KNL E XPERIENCES Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc KNL KNL KNL KNL KNL KNL KNL Example code: Check available memory [Xajacks@eln4 Mg2SiO4-geom]$ numactl --hardware available: 2 nodes (0-1) node 0 cpus: 0 2 4 6 8

899 views • 32 slides
Logistics The Renderman Shading Language Checkpoint 3 Grading underway Checkpoint 4

Logistics The Renderman Shading Language Checkpoint 3 Grading underway Checkpoint 4

Logistics The Renderman Shading Language Checkpoint 3 Grading underway Checkpoint 4 Due Monday RenderMan Assigned today (but not due for several weeks) Project Proposals All should have received e-mail feedback.

608 views • 12 slides
A Non-Compact Elliptic Genus Sujay Ashok Jan Troost 1004.3649 and CNRS Ecole Normale

A Non-Compact Elliptic Genus Sujay Ashok Jan Troost 1004.3649 and CNRS Ecole Normale

Crete 22/03/11 A Non-Compact Elliptic Genus Sujay Ashok Jan Troost 1004.3649 and CNRS Ecole Normale Superieure 1101.1059 with Sujay Ashok The Plan Sketch of various Contexts Introduction of a Simple Model The calculation of a

724 views • 44 slides
RESTful Approaches To Financial Systems Integration Kirk Wylie qCon London 2009

RESTful Approaches To Financial Systems Integration Kirk Wylie qCon London 2009

RESTful Approaches To Financial Systems Integration Kirk Wylie qCon London 2009 kirk@kirkwylie.com, http://kirkwylie.blogspot.com/ About You Introduction Integration Problems in Financial Services REST to the Rescue Applying REST

396 views • 26 slides
Best prac*ces for HTTP-CoAP mapping implementa*on

Best prac*ces for HTTP-CoAP mapping implementa*on

Best prac*ces for HTTP-CoAP mapping implementa*on dra$-castellani-core-h/p-mapping-01 Angelo P. Castellani, Salvatore Loreto, Akbar Rahman, Thomas

655 views • 16 slides
Neogene Atlas Fossils Rock Layer Images Capitola Beach, near Santa Cruz, California Image is

Neogene Atlas Fossils Rock Layer Images Capitola Beach, near Santa Cruz, California Image is

Neogene Atlas Fossils Rock Layer Images Capitola Beach, near Santa Cruz, California Image is from Hendricks (2017), Nature of the Fossil Record. In: the Digital Encyclopedia of Ancient Life

395 views • 3 slides
sss r ss s t

sss r ss s t

sss r ss s t rs r trt str st t

295 views • 6 slides

More recommend