News

OpenSSF Adopts Microsoft Open Source Software Security Guidelines

The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.

The S2C2F is Microsoft's guideline for OSS integrations that's been used by the company since 2019. It used to be called the "Open Source Software-Supply Chain Security Framework," according to a Wednesday announcement by Mark Russinovich, chief technology officer for Microsoft Azure.

The adoption of S2C2F by the OpenSSF is notable because the OpenSSF is a Linux Foundation project concerned with the overall security of the OSS supply chain. Use of S2C2F will help developers consuming OSS packages to that end, per the OpenSSF's announcement:

The S2C2F is designed from the ground up to protect developers from accidentally consuming vulnerable packages (including malicious and compromised packages), helping to mitigate supply chain attacks through decreasing consumption-based attack surfaces.

Microsoft has donated its S2C2F guidelines to the OpenSSF. The founding members of the OpenSSF include "GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat, among others," according to an OpenSSF FAQ description.

The S2C2F is now backed by a Supply Chain Integrity Working Group at the OpenSSF, which also has its own Special Interest Group. Participants are planning to modify the S2C2F guidelines as new OSS threats emerge.

The announcement by the OpenSSF described the S2C2F as a "complete guide" for secure OSS use:

The Secure Supply Chain Consumption Framework (S2C2F), when coupled with a producer-focused artifact-oriented framework such as Supply chain Levels for Software Artifacts (SLSA), gives software producers and consumers a complete guide for how to approach building and consuming software securely.

The S2C2F is based on "real-world supply chain threats specific to OSS," according to Russinovich. In it, Microsoft has outlined eight practices where risks can be reduced, namely:

  • Ingest it: meaning that all open source software "artifact inputs" are controlled.
  • Scan it: where organizations have knowledge about any vulnerabilities or malware in an OSS artifact.
  • Inventory it: where OSS artifacts used in production environments are known.
  • Update it: where software artifacts can be updated.
  • Audit it: where the "full chain-of-custody" of an OSS artifact can be proven.
  • Enforce it: where OSS artifacts are controlled and consumed from trusted sources.
  • Rebuild it: which involves creating a new chain of custody from the source code of an OSS artifact. This approach is said to address "build-time attacks such as those seen on CCleaner and SolarWinds."
  • Fix it: where it's possible to "patch, build, and deploy any external artifact within 3 days of harm notification."

Additionally, the S2C2F has four OSS security "maturity model" levels for organizations, as illustrated here:

[Click on image for larger view.] Figure 1. The S2C2F's four maturity levels for secure OSS use.

Level 4 of the S2C2F's model isn't deemed easy for organizations to implement, but it's recommended for the "most critical projects." Russinovich characterized Level 4 as "aspirational."

There are a lot of free and commercially available tools that can be used to carry out the S2C2F model, as listed at Microsoft's GitHub page. Russinovich noted that "both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.