The Biden administration’s recent executive order on cybersecurity aims to improve security assurances and the use of best practices. Transparency and project health are two factors that help support security across the software industry — especially now.

Software security is now open source software security

Since 92% of modern applications contain open source components, improving software security often means improving open source software security.

According to biden’s executive order.

“The trust we have in our digital infrastructure should be proportional to the credibility and transparency of that infrastructure.”

Transparency is a cornerstone of security because it helps build trust and confidence in technology. Indeed, without transparency, trust and security evaporate. So one of the ways we can help improve security is to increase transparency in our programs.

Transparency through open source provides information about a project, allowing users to assess its health in at least two ways.

  • Cross community environment. Collaboration across teams and communities is key to meeting evolving security, privacy and security standards. Given its open source nature, security is a complex process that involves a single organization and multiple teams across multiple organizations (that is, cross communities).
  • ** Public disclosure: ** Transparency also enables organizations to quickly establish and publish public safety reports to identify potential threats and vulnerabilities.

How to measure transparency to achieve security

Open source should be in the DNA of every modern organization that wishes to achieve high levels of transparency. However, transparency is about more than allowing access to code, products, designs, services, or apis. Transparency is a commitment to complete clarity.

Open source has evolved into a complex ecosystem of projects and organizations with different kinds of relationships. The Office of Open Source Programs (OSPO) enables companies, public agencies, governments, and other organizations to control the size and health of their open source ecosystems. They care not only about the projects the organization is using, but also about the projects it is releasing or contributing to.

One way to measure transparency throughout the open source ecosystem is to assess the answers to the following questions about community health.

  • How many maintainers are needed to keep the project sustainable? The Bus Factor is a way to determine how many contributors a project can lose before it stalls. This metric (what would happen if some contributor were run over by a bus) calculates the minimum number of people who would contribute 50% and visualizes the answer.
  • Who are the core developers? The Onion model is a way to identify the most committed developers and the ones the project depends on the most.
  • Which organizations are involved in the software development process? In addition to analyzing the number of companies where employees contribute to submissions, questions, or code, the Elephant factor determines the minimum number of companies that do half the work.
  • Does the software have safety certification? Having a well-known security certification, such as the Core Infrastructure Initiative Best Practices Badge, shows that open source projects follow Best Practices and meet specified certification standards.
  • How active is the ** community? ** There are several ways to assess whether a community is active. One way is to look at how quickly the community responds, including how quickly problems are solved and how many are ignored.

Most of these questions are part of the CHAOSS metrics definition. Community Health Analysis Open Source Software (CHAOSS) is a project of the Linux Foundation focused on creating a standard set of metrics and software to help define open source community health. Its GrimoireLab tool makes it easier for projects to analyze and report on their community health indicators.

conclusion

Open source software took over the world a long time ago. The Biden administration’s new executive order is another reason to take the open source ecosystem seriously, as both public entities and private companies depend on it. But open source innovation has a unique approach that doesn’t follow traditional business processes. Using open source involves investing in OSPO and measuring transparency against the activities of the project to achieve the required security guarantees.