The Linux Foundation’s Open Source Security Foundation (OpenSSF) introduced the Open Source Project Security Baseline (OSPS Baseline) to improve the security of open source software. The OSPS Baseline is a comprehensive checklist that provides a set of minimum security practices to reduce the risk of vulnerabilities in open source projects. It aims to increase the trustworthiness of these projects by guiding developers on key security tasks and configurations. This initiative involves contributions from OpenSSF and other groups, and the baseline is structured to grow alongside a project, ensuring long-term security improvements.
The OSPS Baseline is divided into several levels, with Level 1 serving as the foundational security floor.
Level 1 covers essential security measures such as multi-factor authentication (MFA), requirements for contributors, release and licensing practices, and documentation. This level encourages all projects to meet at least these basic security standards, ensuring a universal level of security across open source software. Projects that don’t have specific sponsor requirements are urged to meet these Level 1 expectations.
For projects with larger user bases, Level 3 is recommended, offering more advanced security practices.
Level 3 includes more in-depth measures like privilege management, robust release procedures, detailed project documentation, and comprehensive testing. This higher level of security is meant for projects that have a significant impact and need to adhere to stronger protocols to protect their users. By structuring the baseline into levels, the framework can accommodate both small and large projects with varying security needs.
Per Beming, Chief Standardization Officer at Ericsson, emphasized the importance of the OSPS Baseline, calling it a vital tool for improving open source security. It provides actionable steps for all stakeholders in the ecosystem, including manufacturers, stewards, and project maintainers, to enhance the security of the open source supply chain. The OSPS Baseline is maintained by a special interest group, with contributions encouraged from all sectors to refine and promote its use across the community.