Raising the Bar for Open Source Security: Introducing the OSPS Baseline
Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
Ben Cotton
March 3, 2025
Last week, the OpenSSF announced the first release of the Open Source Project Security (OSPS) Baseline. OSPS Baseline is a tiered set of security controls to help project maintainers adopt secure practices that help protect their users. Developed over the last year by more than a dozen experts, OSPS Baseline gives maintainers concrete steps to take. I’m proud to contribute to this work.
Three Levels of Security, One Goal
OSPS Baseline was designed specifically for project maintainers. Unlike OpenSSF Scorecard and other tools aimed at evaluating the security posture of upstream projects, OSPS Baseline is intended for use by the project maintainers themselves. The three levels make it flexible enough for small projects all the way up to the Linux kernel. As we evaluated the controls in the OSPS Baseline, members of the Baseline SIG considered what is reasonable and practical for projects at different levels. For example, while it might be desirable for every project to produce an SBOM for all releases, we recognized that smaller projects — especially when first starting out — probably don’t see a need for it. We wanted the OSPS Baseline to be something that project maintainers see value in and find worthwhile to adopt.
Making Compliance Less Painful
As the European Union’s Cyber Resilience Act (CRA) approaches enforcement, some project maintainers are concerned about meeting its requirements. OSPS Baseline includes a mapping to CRA requirements to ease compliance checks. In addition to the CRA, the OSPS Baseline includes mappings to the OpenSSF Best Practices Badge, NIST Secure Software Development Framework (SP 800-218), NIST Cyber Security Framework (CSF), Open Common Requirement Enumeration (OCRE), and OpenChain standards. This means that a project that has already met these standards can quickly evaluate their OSPS Baseline level — or a project that has met the OSPS Baseline can shortcut its assessment against other standards. Easing the burden on maintainers helps drive the adoption of secure practices.
That’s why Kusari is contributing time and effort to the OSPS Baseline project: we know that security improvements require zero developer disruption. The simpler it is to improve a project’s security posture, the more projects will do. The easiest vulnerabilities to remediate are the ones that never get introduced. In addition to the work on the OSPS Baseline itself, we’re working in the GUAC project to pilot the OSPS Baseline in real-world scenarios.
Strength in Community - Join in!
Like any great open source project, the OSPS Baseline is a team effort. We have to thank the other maintainers of the OSPS Baseline: Christopher “CRob” Robinson of the OpenSSF, Adolfo García Veytia of Carabiner Systems, Dr. David Wheeler of the Linux Foundation, and particularly Eddie Knight from Sonatype, who started this project. Of course, there are many others who have contributed in small or large part with suggestions, edits, and general feedback.
If you want to contribute, please try evaluating your project against the OSPS Baseline and submit an issue if something is unclear or difficult. We’d love feedback in the repo or in #sig-security-baseline on the OpenSSF Slack as we work to make OSPS Baseline a valuable tool for securing open source.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
Previous
No older posts
Next
No newer posts
Want to learn more?