Google has announced it would invest US $1 million in the Secure Open Source (SOS) pilot program run by the Linux Foundation.
In this program, developers are rewarded financially for enhancing the security of open source projects. Google said in its blog that it would start with this initial investment & then expand the program based on community feedback.
What Projects Are In Secure Open Source Program?
Since there is no one definition of what makes an open source project critical, the selection process will be “holistic”. During submission evaluation, guidelines established by the National Institute of Standards and Technology’s definition in response to the recent Executive Order on Cybersecurity will be considered along with criteria listed below:
- The impact of the project:
- How many & what types of users will be affected by the security improvements?
- Will the improvements have a significant impact on infrastructure & user security?
- If the project were compromised, how serious or wide-reaching would the implications be?
- The project’s rankings in existing open source criticality research:
- Is the project included in the Havard 2 Census Study of most-used packages, or does it have a score of 0.6 or above in the OpenSSF Critically Score project?
What Security Improvements Qualify?
The program will focus on rewarding the following work:
- Software supply chain security improvements including hardening CI/CD pipelines & distribution infrastructure. The SLSA framework suggests specific requirements to consider, such as basic provenance generation & verification.
- Adoption of software artifact signing and verification. One option to consider is Sigstore’s set of utilities (e.g. cosign).
- Project improvements that produce higher OpenSSF Scorecard results. For example, a contributor can follow remediation suggestions for the following Scorecard checks:
- Code-Review
- Branch-Protection
- Pinned-Dependencies
- Dependency-Update-Tool
- Fuzzing
- Use of OpenSSF Allstar & remediation of discovered issues.
- Earning a CII Best Practice Badge (which also improves the Scorecard results).
Image credit: Linux
