|
| 1 | +id: osps-baseline |
| 2 | +title: Open Source Project Security Baseline |
| 3 | +version: "" |
| 4 | +description: | |
| 5 | + The Open Source Project Security (OSPS) Baseline is a set of security criteria |
| 6 | + that projects should meet to demonstrate a strong security posture. |
| 7 | +last-modified: "" |
| 8 | + |
| 9 | +applicability-categories: #TODO: Update all applicability levels to use these IDs in a follow-up PR |
| 10 | + - id: maturity-1 |
| 11 | + title: Maturity Level 1 |
| 12 | + description: for any code or non-code project with any number of maintainers or users |
| 13 | + - id: maturity-2 |
| 14 | + title: Maturity Level 2 |
| 15 | + description: for any code project that has at least 2 maintainers and a small number of consistent users |
| 16 | + - id: maturity-3 |
| 17 | + title: Maturity Level 3 |
| 18 | + description: for any code project that has a large number of consistent users |
| 19 | + |
| 20 | +mapping-references: |
| 21 | + - id: BPB |
| 22 | + title: OpenSSF Best Practices Badge |
| 23 | + version: "" |
| 24 | + url: https://github.com/coreinfrastructure/best-practices-badge/blob/main/criteria/criteria.yml |
| 25 | + description: | |
| 26 | + The Open Source Security Foundation (OpenSSF) Best Practices Badge is a way |
| 27 | + for Free/Libre and Open Source Software (FLOSS) projects to show that they |
| 28 | + follow best practices. Projects can voluntarily self-certify, at no cost, |
| 29 | + by using this web application to explain how they follow each best practice. |
| 30 | + The OpenSSF Best Practices Badge is inspired by the many badges available |
| 31 | + to projects on GitHub. Consumers of the badge can quickly assess which |
| 32 | + FLOSS projects are following best practices and, as a result, are more |
| 33 | + likely to produce higher-quality secure software. |
| 34 | + - id: CRA |
| 35 | + title: Cyber Resilience Act (Regulation 2024/2847) |
| 36 | + version: "20.11.2024" |
| 37 | + url: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847 |
| 38 | + description: | |
| 39 | + Regulation (EU) 2024/2847 of the European Parliament and of the |
| 40 | + Council of 23 October 2024 on horizontal cybersecurity requirements for |
| 41 | + products with digital elements and amending Regulations (EU) No 168/2013 and |
| 42 | + (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with |
| 43 | + EEA relevance) |
| 44 | + - id: CSF |
| 45 | + title: NIST Cybersecurity Framework |
| 46 | + version: "2.0" |
| 47 | + url: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf |
| 48 | + description: | |
| 49 | + The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, |
| 50 | + government agencies, and other organizations to manage cybersecurity risks. |
| 51 | + It offers a taxonomy of high level cybersecurity outcomes that can be used |
| 52 | + by any organization — regardless of its size, sector, or maturity — to |
| 53 | + better understand, assess, prioritize, and communicate its cybersecurity |
| 54 | + efforts. The CSF does not prescribe how outcomes should be achieved. |
| 55 | + Rather, it links to online resources that provide additional guidance on |
| 56 | + practices and controls that could be used to achieve those outcomes. |
| 57 | + - id: OpenCRE |
| 58 | + title: Open Common Requirement Enumeration |
| 59 | + version: "" |
| 60 | + url: https://www.opencre.org/ |
| 61 | + description: | |
| 62 | + An interactive content linking platform for uniting security |
| 63 | + standards and guidelines. It offers easy and robust access to relevant |
| 64 | + information when designing, developing, testing and procuring secure software. |
| 65 | + - id: PCIDSS |
| 66 | + title: Payment Card Industry Data Security Standard |
| 67 | + version: "4.0.1" |
| 68 | + url: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf |
| 69 | + description: | |
| 70 | + PCI Security Standards are technical and operational requirements |
| 71 | + set by the PCI Security Standards Council (PCI SSC) to protect cardholder |
| 72 | + data. The standards apply to all entities that store, process or transmit |
| 73 | + cardholder data – with requirements for software developers and manufacturers |
| 74 | + of applications and devices used in those transactions. The Council is |
| 75 | + responsible for managing the security standards, while compliance with the |
| 76 | + PCI set of standards is enforced by the founding members of the Council: |
| 77 | + American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. |
| 78 | + The PCI Data Security Standard (PCI DSS) applies to all entities that store, |
| 79 | + process, and/or transmit cardholder data. It covers technical and operational |
| 80 | + system components included in or connected to cardholder data. If you accept |
| 81 | + or process payment cards, PCI DSS applies to you. |
| 82 | + - id: SAMM |
| 83 | + title: OWASP Software Assurance Maturity Model |
| 84 | + version: "2" |
| 85 | + url: https://owaspsamm.org/model/ |
| 86 | + description: | |
| 87 | + A maturity model for software assurance that provides an effective |
| 88 | + and measurable way for all types of organizations to analyze and improve their |
| 89 | + software security posture. OWASP SAMM supports the complete software lifecycle, |
| 90 | + including development and acquisition, and is technology and process agnostic. |
| 91 | + It is intentionally built to be evolutive and risk-driven in nature. |
| 92 | + - id: SSDF |
| 93 | + title: NIST Secure Software Development Framework (SP 800-218) |
| 94 | + version: "1.1" |
| 95 | + url: https://csrc.nist.gov/pubs/sp/800/218/final |
| 96 | + description: | |
| 97 | + The Secure Software Development Framework (SSDF) is a set of fundamental, |
| 98 | + sound, and secure software development practices based on established |
| 99 | + secure software development practice documents from organizations such as |
| 100 | + BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models |
| 101 | + explicitly address software security in detail, so practices like those in |
| 102 | + the SSDF need to be added to and integrated with each SDLC implementation. |
| 103 | + Following the SSDF practices should help software producers reduce the |
| 104 | + number of vulnerabilities in released software, reduce the potential impact |
| 105 | + of the exploitation of undetected or unaddressed vulnerabilities, and |
| 106 | + address the root causes of vulnerabilities to prevent recurrences. Also, |
| 107 | + because the SSDF provides a common language for describing secure software |
| 108 | + development practices, software producers and acquirers can use it to foster |
| 109 | + their communications for procurement processes and other management activities. |
| 110 | + - id: SLSA |
| 111 | + title: Supply-chain Levels for Software Artifacts |
| 112 | + version: "1.0" |
| 113 | + url: https://slsa.dev/ |
| 114 | + description: | |
| 115 | + SLSA (pronounced \"salsa\") is a security framework from source |
| 116 | + to service, giving anyone working with software a common language for |
| 117 | + increasing levels of software security and supply chain integrity. It’s how |
| 118 | + you get from safe enough to being as resilient as possible, at any link in |
| 119 | + the chain. |
| 120 | + - id: ISO-18974 |
| 121 | + title: ISO/IEC 18974 |
| 122 | + version: "1.0 - 2023-12" |
| 123 | + url: https://openchainproject.org/security-assurance |
| 124 | + description: | |
| 125 | + ISO/IEC 18974 helps organizations check open source for known security |
| 126 | + vulnerability issues like CVEs, GitHub dependency alerts or package manager |
| 127 | + alerts. ISO/IEC 18974 identifies: The key places to have security processes, |
| 128 | + How to assign roles and responsibilities, And how to ensure sustainability |
| 129 | + of the processes. ISO/IEC 18974 is lightweight, easy to read and is |
| 130 | + supported by our global community with free reference material and |
| 131 | + conformance resources. |
| 132 | + - id: PSSCRM |
| 133 | + title: Proactive Software Supply Chain Risk Management Framework |
| 134 | + version: "" |
| 135 | + url: https://arxiv.org/pdf/2404.12300 |
| 136 | + description: | |
| 137 | + The Proactive-Software Supply Chain Risk Management (P-SSCRM) Framework is |
| 138 | + designed to help you understand and plan a secure software supply chain risk |
| 139 | + management initiative. P-SSCRM was created through a process of understanding |
| 140 | + and analyzing real-world data from nine industry-leading software supply chain |
| 141 | + risk management initiatives as well as through the analysis and unification |
| 142 | + of ten government and industry documents, frameworks, and standards. Although |
| 143 | + individual methodologies and standards differ, many initiatives and standards |
| 144 | + share common ground. P-SSCRM describes this common ground and presents a model |
| 145 | + for understanding, quantifying, and developing a secure software supply chain |
| 146 | + risk management program and determining where your organization's existing |
| 147 | + efforts stand when contrasted with other real-world software supply chain |
| 148 | + risk management initiatives. |
| 149 | + - id: UKSSCOP |
| 150 | + title: UK Secure Software Compliance or Practices |
| 151 | + version: "7 May 2025" |
| 152 | + url: https://www.gov.uk/government/publications/software-security-code-of-practice/software-security-code-of-practice |
| 153 | + description: | |
| 154 | + This voluntary Software Security Code of Practice has been developed to |
| 155 | + improve the security and resilience of software that organisations and |
| 156 | + businesses rely on. |
| 157 | + The Software Security Code of Practice will support software vendors and |
| 158 | + their customers in reducing the likelihood and impact of software supply |
| 159 | + chain attacks and other software resilience incidents. Often, these kinds |
| 160 | + of attacks and disruptions are caused by avoidable weaknesses in software |
| 161 | + development and maintenance practices. The impact of these kinds of incidents |
| 162 | + can also be exacerbated by poor communication between organisations and |
| 163 | + their software suppliers. This Code addresses those issues. |
| 164 | + - id: Scorecard |
| 165 | + title: OpenSSF Scorecard |
| 166 | + version: "v5.2.1" |
| 167 | + url: "https://scorecard.dev/" |
| 168 | + description: | |
| 169 | + An OpenSSF project that helps users assesses open |
| 170 | + source projects for security risks through a series |
| 171 | + of automated checks. It was created by OSS developers |
| 172 | + to help improve the health of critical projects |
| 173 | + that the community depends on. |
0 commit comments