It’s been a while since I’ve shared an update on the work Sonatype is doing in the open source ecosystem, so I’m excited to share an update on a few things we’re doing in the space — and how it led to the creation of a new security standard in the Open Source Security Foundation (OpenSSF).

The Open Source Project Security (OSPS) Baseline is a set of criteria that help open source maintainers who want to improve their project’s security hygiene. It’s the culmination of focused effort from folks across the ecosystem, reflected in a strong team of maintainers from four different organizations collaborating almost daily for nearly a year.

The context that shaped the work includes insight from the widely adopted Best Practices Badge, Scorecard, and CLOMonitor.

But the origin story — in a way — is quite a bit longer.

Bridging Open Source Communities

When I first started working at Sonatype in our Developer Relations program, I was a maintainer for an emerging Fintech Open Source Foundation (FINOS) project related to the creation of cybersecurity policies and tooling for financial services. At the same time, I was asked to support Cloud Native Computing Foundation (CNCF) projects by overseeing a Sonatype-hosted event designed to improve project security.

As I transitioned into the Office of the CTO to lead our small Open Source Program Office, my engagement with the open source community became a core part of my role. I was soon invited to steer the FINOS Common Cloud Controls project and appointed as co-chair of CNCF’s Technical Advisory Group for Security, along with my other Sonatype open source responsibilities.

In early 2024, the open source world was understandably concerned about the development of the European Union’s Cyber Resilience Act (CRA) — which (Read more...)