Identifying Security Threats in Open Source Projects
The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
Motivation
Open source software is an essential part of modern software development, and of practically all technology solutions. Adoption of open source software has grown over the past two decades, powering everything from tiny "Internet of Things" devices to the most advanced supercomputers in the world. This has led to enormous productivity gains, allowing software engineers to focus more on solving business problems and less on creating and re-creating the same building blocks needed in many situations.
With these benefits, however, comes some risk. Attackers frequently target open source projects and the ecosystems they are a part of in order to compromise the organizations or users that use those projects. It's essential that we understand these threats and work to build defenses against them.
Objective
Our objective is to enable stakeholders to have informed confidence in the security of open source projects. This includes identifying threats to the open source ecosystem and recommending practical mitigations. We will also identify a set of key metrics and build tooling to communicate those metrics to stakeholders, enabling a better understanding of the security posture of individual open source software components.
Scope
The scope of this working group includes "security", as opposed to privacy, resiliency, or other related areas. We also consider the broad open source ecosystem, as opposed to focusing exclusively on critical open source projects.
Our work products will include analysis, publications, tools, engagement, and advocacy with other groups inside and outside of the OpenSSF to advance the state of open source security.
Prior Work
Get Involved
- Project: Security Metrics
- Mailing List. (Manage your subscriptions to OpenSSF mailing lists)
- OpenSSF Community Calendar
Quick Start
- Do you write code? We're looking for software developers to help build the Security Metrics project. Contact Michael Scovetta to get started.
- Interested in joining? E-mail Michael Scovetta for an invite to the next working group meeting.
- Want to contribute? Check out our open issues.
Meeting times
- We meet every other week, alternating between Mondays and Wednesdays. See the OpenSSF Community Calendar and e-mail Michael Scovetta to get an invite to the next meeting or the series.
- Meeting Minutes
Governance
The CHARTER document outlines the scope and governance of our group activities.
- Lead: Michael Scovetta
- Co-Lead: Jennifer Fernick
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent