Skip to content

The purpose of the Identifying Security Threats working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

License

ossf/wg-identifying-security-threats

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

Identifying Security Threats in Open Source Projects

The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

Motivation

Open source software is an essential part of modern software development, and of practically all technology solutions. Adoption of open source software has grown over the past two decades, powering everything from tiny "Internet of Things" devices to the most advanced supercomputers in the world. This has led to enormous productivity gains, allowing software engineers to focus more on solving business problems and less on creating and re-creating the same building blocks needed in many situations.

With these benefits, however, comes some risk. Attackers frequently target open source projects and the ecosystems they are a part of in order to compromise the organizations or users that use those projects. It's essential that we understand these threats and work to build defenses against them.

Objective

Our objective is to enable stakeholders to have informed confidence in the security of open source projects. This includes identifying threats to the open source ecosystem and recommending practical mitigations. We will also identify a set of key metrics and build tooling to communicate those metrics to stakeholders, enabling a better understanding of the security posture of individual open source software components.

Scope

The scope of this working group includes "security", as opposed to privacy, resiliency, or other related areas. We also consider the broad open source ecosystem, as opposed to focusing exclusively on critical open source projects.

Active Projects

  • Alpha-Omega

    • Leads: Michael Scovetta, Michael Winser, Brian Behlendorf
  • Office Hours

    • Lead: Marta Rybczynska
  • Security Insights - Provides a mechanism for projects to report information about their security practices in a machine-readable way.

    • Lead: Luigi Gubello
  • Security Metrics - This project's purpose is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.

    • Lead: Michael Scovetta [existing implementation]
    • Leads: Vinod, Jay White, Christine Abernathy
  • Security Reviews - This repository contains a collection of security reviews of open source software.

Inactive Projects

Get Involved

Related Work

Quick Start

The best way to get started is to simply join a working group meeting. You can also read our Meeting Minutes to get up to speed with what we're up to.

Working Group Meeting Times

Antitrust Policy

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Governance

The CHARTER document outlines the scope and governance of our group activities.

About

The purpose of the Identifying Security Threats working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published