By Sona Sarmadi, Security Responsible at Enea Software AB

Date: 2016-08-24

The OPNFV project received the Core Infrastructure Initiative (CII) Best Practices Badge from The Linux Foundation August 17th 2016. Details about this badge can be found on the CII certification page for OPNFV.

The Core Infrastructure Initiative (CII), run by Linux Foundation is a multi-million dollar project to identify and fund open source projects that are in need of assistance to harden open source security. . As the Linux Foundation says: ”With millions of people around the world relying on open source software — and vulnerabilities like Heartbleed putting everyone at risk — it's time to change the way we support, protect, and fortify open software.”

By using a web application, Open Source projects  can voluntarily self-certify for CII Best Practices Badge at no cost. Self-assessment scales quite well. It is open and available to everyone, there is no need for expensive third-party assessment. Since it’s open to everyone, everyone can do audit, have opinions and criticize if the project's claims are not true.

A certification that proves our commitment

Getting the Core Infrastructure Initiative (CII) Best Practices Badge shows the OPNFV project's commitment to security-aware development. The badge is however not a goal in itself, following these practices will ensure that a high level of security is maintained.

Facing the requirements

The requirements to get the badge are quite extensive, so we realized we needed to do some work in order to comply. One example is that we replaced crypto algorithms that are no longer considered secure (MD5). Another example is that we updated the OPNFV wiki pages  with more specific and clear instructions on how to report security incidents. We believe that security can never be achieved by an isolated security group. The work needs to involve everybody in the project, from developers to management.

Looking forward

Getting the Badge was an exciting challenge but the bigger challenge is ahead of us. Getting the Badge doesn't mean that we have reached our destination. We need not only to keep the current security, quality and stability of the OPNFV project but to continuously improve it.

Linux Foundation is discussing an improvement of the Badge Program: "In the longer term, there are plans to add higher badge levels beyond the current "passing" level, tentatively named the "gold" and "platinum" levels. Projects that are widely dependent on and are often attacked, such as the Linux kernel or any cryptographic library, should, of course, be doing much more than a minimum set of widely-applied best practices. However, the project team decided to create the criteria in stages.”

Thanks to the team

This project was a collaborative effort within OPNFV. As a member of the OPNFV security group I was appointed within this group to lead this Badge project.

Together with Luke Hinds (OPNFV Security Team Leader) and some other OPNFV project's and Linux foundation members such as; Ashlee Young (responsible for secure software design within OPNFV project), Aric Gardner, Raymond Paik, Fatih Degirmenci and Ulrich Kleber we reached our goal in time (i.e. before C release). I would like to take this opportunity and thank everyone involved in this project.