On Wednesday, the Open Source Security Foundation (OpenSSF) announced the adoption of Secure Supply Chain Consumption Framework (S2C2F), a framework for using open source software that was created by Microsoft.
S2C2F describes real-world dangers to open source software (OSS) and contains measures to prevent them. It has been in use within Microsoft since 2019 and was made public in August 2022. In order to mitigate supply chain threats to the OSS, the consumption-focused framework adopts a threat-based, risk-reduction strategy.
The framework has eight distinct practise areas, including as intake, inventory, updates, enforcement, audit, scanning, rebuilding, and mending (upstream).
The basic governance practises (OSS inventory, vulnerability scanning, and dependencies updates), improving mean time to remediate (MTTR) vulnerabilities in OSS, proactive security analysis and controls, and mitigation against sophisticated attacks are all requirements that are organised on four levels of maturity.
Along with recommendations for industry tools that can assist businesses in meeting the framework’s requirements, the framework also offers guidance that assists organisations in determining their maturity level.
S2C2F is intended to shield developers from unintentionally utilising harmful or compromised packages, reducing the risk of supply chain attacks. The S2C2F specifications will be updated by the OpenSSF S2C2F special interest group (SIG), which is run by a Microsoft team, to take into account new risks.
“One of its primary strengths, and why we were so excited to adopt it into the OpenSSF, is how well it pairs with any producer-focused framework such as SLSA [supply chain levels for software artifacts]. For example, S2C2F’s Level 3 requirement for provenance of all dependency artifacts can be achieved through generated artifact provenance in such a manner deemed trustworthy through SLSA,” OpenSSF states.