In February, The Linux Foundation’s Open Source Security Foundation (OpenSSF) initiated the Open Source Project Security Baseline (OSPS Baseline) to establish minimum security requirements for open-source software. However, not everyone is supporting it.
According to Christopher Robinson, chief security architect at OpenSSF, the baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations. It aims to bolster the security posture of open-source software projects. He offered confidence that these security best practices are "both practical and impactful across open-source projects."
Jamie Scott, founding product manager at Endor Labs, a supply chain security firm, said its usefulness depends on how it is used.
“The OpenSSF security baseline is a double-edged sword for the industry. It has the potential to push us forward -- or hold us back," he told LinuxInsider.
Stacey Potter, an independent open-source community manager who led the OSPS Baseline pilot efforts, noted that the project addresses a significant issue for open-source developers: navigating all the existing security standards.
"We built a framework that grows with your project. Our goal is to take the guesswork out of [the process] and help maintainers feel confident about where they stand without adding extra stress," she said.
Potter added, "It’s all about empowering the community and making open source more secure for everyone!”
Lofty, Hard-To-Reach Goals
The OSPS Baseline offers a tiered framework of security practices compiled from existing guidance from OpenSSF and other expert groups. It outlines tasks, processes, artifacts, and configurations that enhance the security of software development and consumption. It could help developers lay a foundation that supports compliance with global cybersecurity regulations.
Too often, security advice is vague or impractical, but Baseline aims to change that, observed Ben Cotton, open-source community lead at Kusari and co-maintainer of Baseline. He noted that every improvement to open-source security strengthens the modern software ecosystem, making it safer for everyone.
“This effort provides actionable, practical guidance to help developers achieve appropriate security levels for their projects," he said.
However, Endor Labs' Scott warned that the industry needs a shared understanding of what’s practical and prudent based on a project’s maturity. Without measuring that, the project's efforts will not make meaningful progress.
"If we take it entirely at face value, we risk stalling open-source advancement and damaging relationships with the private sector," he cautioned.
Baseline a Guide for Adaptation, Not a Mandate
Scott contended that OSS developers must understand that security is a spectrum. A baseline is not the same as good practices, he reasoned.
"It’s a minimum standard, not an ideal. Security can’t be one-size-fits-all," he counseled.
A small project with no users should not be held to the same standard as a widely used library in critical infrastructure. He suggested that maturity models can help set reasonable expectations.
"Security should grow with adoption and impact,” he said.
Andrew Stiefel, senior product marketing manager at Endor Labs, added that industry compliance frameworks prioritize processes and tools that fit larger organizations with established GRC and security teams.
"The OpenSSF security baseline adapts these guidelines to the needs of open-source developers and projects and makes these best practices more accessible to smaller teams,” he told LinuxInsider.
Baseline Impact Limited Without Industry Buy-In
Mike McGuire, senior security solutions manager at application security firm Black Duck, supports the Baseline project, which reinforces existing security standards. However, he has concerns that it does not go far enough.
He sees the OSS initiatives demonstrating that project maintainers and stewards generally do an effective job at keeping their code secure, up to date, and of acceptable quality.
Exceptions always occur, but McGuire suggests that this is the general truth for the majority of the most popular open-source projects. Threat actors will always attempt to exploit the inherent trust in open-source software.
"These efforts by OpenSSF and the Linux Foundation should make notable progress in the prevention of supply chain attacks that start at the open-source dependency level," he told LinuxInsider.
Open-source project owners can take every possible step to secure their code. However, the open-source consumer still has the responsibility to use only the most secure and trustworthy projects and stay up to date with security updates.
Weak Links Hinder Baseline Potential for Success
McGuire added that security practices often occur outside the formal software supply chain. These block the effectiveness of security initiatives, such as access control, vulnerability management, and branch protection, from fully locking down the common paths that attackers use to compromise a legitimate project and plant the seeds for a supply chain attack.
"However, no matter what is done by project owners, no commercial application will be made any more secure if development organizations don’t invest more in managing the open source they leverage," he countered.
Development organizations must track and evaluate the open-source projects they utilize for risk management purposes. Otherwise, McGuire warned, they will continue to struggle with lingering vulnerabilities.
He added that the 2025 Open Source Security and Risk Analysis (OSSRA) report found that 81% of commercial codebases contained critical open-source vulnerabilities, with an average age of 2.8 years.
The overwhelming majority of these vulnerabilities have fixes available, which highlights issues for open-source consumers in managing their dependencies rather than issues with patching on the open-source project's side.
Open Model Still a Risk in OSS Security
As Anthony Tam, manager of security engineering at Kubernetes container security firm Tigera, is concerned, open-source software continues to be a risk to software supply chain security. Software vendors will always require OSS libraries to build their products.
"OSS projects also vary in levels of maintenance and updates. Many OSS libraries are funded by the free or personal time of the maintainers, which can be a risk to the project as updates and changes are likely to be made less often," he told LinuxInsider.
When it comes to artificial intelligence, open-source AI has risks, just as any open-source software project does.
"With the new risks that GenAI applications bring to the security community, new frameworks are a great starting point for providing developers and users with an understanding of how they can be best secured," he concluded.
Loading ...
