Linux Foundation launches badge program to boost open source security

The Linux Foundation has released the first round of CII Best Practices badges as part of a program designed to improve the quality and security of open-source software.

Announced on Tuesday, the non-profit said the Core Infrastructure Initiative (CII), a project which brings tech firms, developers and stakeholders together to create best practice specifications and improve the security of critical open-source projects, has now entered a new stage with the issue of CII badges to a select number of open-source software.

The early badge owners include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr.

"This is a free program that seeks to determine security, quality and stability of open source software," the San Francisco-based organization says.

"The CII Best Practices online app enables developers to quickly determine whether they are following best practices and to receive a badge they can display on GitHub and other online properties when they pass. The app and its criteria are an open source project to which developers can contribute."

The badge round includes an assessment of OpenSSL security and how far the software has come since the disclosure of the Heartbleed vulnerability.

Originally, the Linux Foundation said OpenSSL failed to meet more than a third of the CII Best Practices Badge criteria, but now, the software receives full marks.

"Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they're always improving," said Nicko van Sommeren, CTO, The Linux Foundation.

Spearheaded by Institute for Defense Analyses (IDA) security researcher David Wheeler, the CII Best Practices Badge program has an important place in security as a benchmark for open-source software developers to evaluate and improve their security practices.

Open-source software is widely used in everything from database control to web domain backend systems online, and so giving developers a direction for input and improvement can only improve security for users and vendors worldwide.

The Core Infrastructure initiative also offers a number of grants for researchers interested in improving open-source software security.

Top gadgets and apps to protect your mobile devices

Read on: Top picks

• Apple goes server-side to fix Siri lock screen bypass security flaw
• Bug bounties: Which companies offer researchers cash?
• Cyberattackers botch integration of Adobe Flash zero-day vulnerability in exploit kits
• Meet the company which wants to stop pirates using the Web until they pay up