In an announcement this week, the Open Source Security Foundation (OpenSSF) said that is now using Microsoft's Secure Supply Chain Consumption Framework (S2C2F). This guideline ensures open-source software (OSS) is developed in a secure way.
S2C2F was created by Microsoft is a guideline standard for OSS software. Microsoft has been using the guideline since 2019 and has been pushing for OpenSSF to adopt the guidelines. In a blog post this week, Microsoft says the OpenSSF adopting the standard is important because the foundation is a Linux Foundation project.
“The S2C2F is designed from the ground up to protect developers from accidentally consuming vulnerable packages (including malicious and compromised packages), helping to mitigate supply chain attacks through decreasing consumption-based attack surfaces.”
Microsoft says the S2CF2 guidelines are now part of the OpenSSF and are available to all founding members. It is worth noting that Microsoft is one of those founding members alongside IBM, Google, OWASP Foundation, Red Hat, NCC Group, Google, and others.
OpenSSF was founded in August 2020 and aims to increase security around openopen-sourcevices. The group says the intention is to connect and secure software by leveraging the Linux Foundation. For example, the “Core Infrastructure Initiative (CII)” and the “GitHub-initiated Open Source Security Coalition (OSSC),” are part of the initiative.
OpenSSF describes the S2C2F as a complete guideline:
“The Secure Supply Chain Consumption Framework (S2C2F), when coupled with a producer-focused artifact-oriented framework such as Supply chain Levels for Software Artifacts (SLSA), gives software producers and consumers a complete guide for how to approach building and consuming software securely.”
- “Ingest it: meaning that all open source software “artifact inputs” are controlled.
- Scan it: where organizations have knowledge about any vulnerabilities or malware in an OSS artifact.
- Inventory it: where OSS artifacts used in production environments are known.
- Update it: where software artifacts can be updated.
- Audit it: where the “full chain-of-custody” of an OSS artifact can be proven.
- Enforce it: where OSS artifacts are controlled and consumed from trusted sources.
- Rebuild it: which involves creating a new chain of custody from the source code of an OSS artifact. This approach is said to address “build-time attacks such as those seen on CCleaner and SolarWinds.”
- Fix it: where it's possible to “patch, build, and deploy any external artifact within 3 days of harm notification.”
Tip of the day: To prevent attackers from capturing your password, Secure Sign-in asks the user to perform a physical action that activates the sign-in screen. In some cases, this is a dedicated “Windows Security” button, but the most common case in Windows is the Ctrl+Alt Del hotkey. In our tutorial, we show you how to activate this feature.