The Open Source Security Foundation (OpenSSF) on Feb. 25 released a three-tiered set of guidelines that aims for developers to build in a minimum level of security for open source Linux software.
Dubbed "the Open Source Project Security Baseline (OSPS Baseline)," the project was developed with the understanding that attackers will always try to take advantage of open-source software to launch malicious supply chain attacks.
“The OSPS Baseline sets a clear, necessary floor for open-source security,” said Jason Soroko, senior fellow at Sectigo. “However, this potentially creates a fixed checklist that risks turning security compliance into a destination rather than a journey. Static baselines may lull projects into a false sense of safety as threat landscapes evolve.”
OSPS consists of three levels, with Level 1 requiring developers to build in multi-factor authentication (MFA), set collaborator permissions to the lowest available privileges, and make websites include SSH, HTTPS, or other encrypted channels.
For Level 2, CI/CD pipelines must be configured to the lowest available privileges except when explicitly elevated, all released software assets must be assigned a unique version identifier for each release, and project documentation must include a descriptive statement about the scope and duration of support.
Finally, Level 3 requirements are a bit stiffer, in that the all compiled released software assets must include a software bill of materials (SBOM), and the project must perform a threat modeling and attack surface analysis.
"Conceptually it's good for developers to understand risks their code can impose, so they can get better at their craft, and produce a better product,” said Evan Dornbush, former NSA cybersecurity expert. “It's also good for consumers to make conscious decisions to not adopt products that don't have some baseline level of secure design.”
However, Dornbush said while this seems well intentioned, it means that consumers who already get access to free developers are now also demanding access to free QA and risk analysis.
“At what point are consumers taking advantage of the good will of the volunteer open-source community?” asked Dornbush. “Consumers had no problem throwing unreviewed code into production until some recent high profile zero-days were found in widely used compression libraries. Instead of pushing this burden fully onto the builders, maybe consumers can band together and provide compensation for performing the labor involved in these now-required efforts.”
Sectigo’s Soroko pointed out that the real danger is not the floor itself, but the complacency it may breed. He said many developers might stop at Level 1, meeting only minimum sponsor requirements without advancing their practices.
“The baseline’s tiered model is meant to spur continuous improvement, but its success hinges on an industry culture that prizes proactive, adaptive security over checkbox compliance,” said Soroko. “In this light, true security demands innovation beyond static minimums.”
