A Deep Dive into the Open Source Project Security (OSPS) Baseline

In this episode of "What's in the SOSS," CRob, Ben Cotton, and Eddie Knight discuss the Open Source Project Security Baseline. This baseline provides a common language and control catalog for software security, enabling maintainers to demonstrate their project's security posture and fostering confidence in open source projects. They explore its integration with other OpenSSF projects, real-world applications like the GUAC case study, and its value to maintainers and stakeholders. The role of documentation in security is emphasized, ensuring secure software deployment. The effectiveness of the baseline is validated through real-world applications and refined by community feedback, with future improvements focusing on better tooling and compliance mapping.

Episode Chapters

00:00 - Welcome & Introductions

02:40 - Understanding the Open Source Project Security Baseline

05:54 - The Importance of Defining a Security Baseline

08:49 - Integrating Baseline with Other OpenSSF Projects

11:42 - Real-World Applications: The Glock Case Study

14:21 - Value for Maintainers and Other Stakeholders

17:29 - The Role of Documentation in Security

20:37 - Future Directions for the Baseline and Orbit

23:26 - Community Engagement and Feedback

Episode links:

• Ben Cotton’s LinkedIn page
• Eddie Knight’s LinkedIn page
• OSPS Baseline website
• OSPS Baseline github
• OSPS Baseline slack
• OSPS ORBIT Working Group
• OpenSSF Tech Talk: How to use the OSPS Baseline to Better Navigate Standards and Regulations
• Gemara project
• GUAC project
• Get involved with the OpenSSF
• Subscribe to the OpenSSF newsletter
• Follow the OpenSSF on LinkedIn