News

Microsoft Security Guidelines for Open Source Software Adopted by OpenSSF

• By Kurt Mackie
• 11/16/2022

The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.

The S2C2F is Microsoft's guideline for OSS integrations that's been used by the company since 2019. It used to be called the "Open Source Software-Supply Chain Security Framework," according to a Wednesday announcement by Mark Russinovich, chief technology officer for Microsoft Azure.

The adoption of S2C2F by the OpenSSF is notable because the OpenSSF is a Linux Foundation project concerned with the overall security of the OSS supply chain. Use of S2C2F will help developers consuming OSS packages to that end, per the OpenSSF's announcement:

The S2C2F is designed from the ground up to protect developers from accidentally consuming vulnerable packages (including malicious and compromised packages), helping to mitigate supply chain attacks through decreasing consumption-based attack surfaces.

Microsoft has donated its S2C2F guidelines to the OpenSSF. The founding members of the OpenSSF include "GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat, among others," according to an OpenSSF FAQ description.

The S2C2F is now backed by a Supply Chain Integrity Working Group at the OpenSSF, which also has its own Special Interest Group. Participants are planning to modify the S2C2F guidelines as new OSS threats emerge.

The announcement by the OpenSSF described the S2C2F as a "complete guide" for secure OSS use:

The Secure Supply Chain Consumption Framework (S2C2F), when coupled with a producer-focused artifact-oriented framework such as Supply chain Levels for Software Artifacts (SLSA), gives software producers and consumers a complete guide for how to approach building and consuming software securely.

The S2C2F is based on "real-world supply chain threats specific to OSS," according to Russinovich. In it, Microsoft has outlined eight practices where risks can be reduced, namely:

• Ingest it: meaning that all open source software "artifact inputs" are controlled.
• Scan it: where organizations have knowledge about any vulnerabilities or malware in an OSS artifact.
• Inventory it: where OSS artifacts used in production environments are known.
• Update it: where software artifacts can be updated.
• Audit it: where the "full chain-of-custody" of an OSS artifact can be proven.
• Enforce it: where OSS artifacts are controlled and consumed from trusted sources.
• Rebuild it: which involves creating a new chain of custody from the source code of an OSS artifact. This approach is said to address "build-time attacks such as those seen on CCleaner and SolarWinds."
• Fix it: where it's possible to "patch, build, and deploy any external artifact within 3 days of harm notification."

Additionally, the S2C2F has four OSS security "maturity model" levels for organizations, as illustrated here:

Level 4 of the S2C2F's model isn't deemed easy for organizations to implement, but it's recommended for the "most critical projects." Russinovich characterized Level 4 as "aspirational."

There are a lot of free and commercially available tools that can be used to carry out the S2C2F model, as listed at Microsoft's GitHub page. Russinovich noted that "both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance."