On August 4, 2022, Microsoft publicly shared a framework that it has been utilizing to safe its personal improvement practices since 2019, the Safe Provide Chain Consumption Framework (S2C2F), beforehand the Open Supply Software program-Provide Chain Safety (OSS-SSC) Framework. As an enormous client of and contributor to open supply, Microsoft understands the significance of a sturdy technique round securing how builders devour and handle open supply software program (OSS) dependencies when constructing software program. We’re happy to announce that the S2C2F has been adopted by the OpenSSF underneath the Provide Chain Integrity Working Group and fashioned into its personal Particular Initiative Group (SIG). Our friends on the OpenSSF and throughout the globe agree with Microsoft in the case of how basic this work is to bettering provide chain safety for everybody.
What’s the S2C2F?
We constructed the S2C2F as a consumption-focused framework that makes use of a threat-based, risk-reduction method to mitigate real-world threats. Considered one of its major strengths is how nicely it pairs with any producer-focused framework, resembling SLSA.1 The framework enumerates an inventory of real-world provide chain threats particular to OSS and explains how the framework’s necessities mitigate these threats. It additionally features a high-level platform- and software-agnostic set of focuses which might be divided into eight completely different areas of observe:
Every of the eight practices are comprised of necessities to deal with the threats and scale back danger. The necessities are organized into 4 ranges of maturity. We now have seen huge success with each inner and exterior initiatives who’ve adopted this framework. Utilizing the S2C2F, groups and organizations can extra effectively prioritize their efforts in accordance with the maturity mannequin. The flexibility to focus on a selected stage of compliance inside the framework means groups could make intentional and incremental progress towards decreasing their provide chain danger.
Every maturity stage has a theme represented in Ranges (1 to 4). Degree 1 represents the earlier standard knowledge of inventorying your OSS, scanning for recognized vulnerabilities, after which updating OSS dependencies, which is the minimal needed for an OSS governance program. Degree 2 builds upon Degree 1 by leveraging know-how that helps enhance your imply time to remediate (MTTR) vulnerabilities in OSS with the purpose of patching quicker than the adversary can function. Degree 3 is concentrated on proactive safety evaluation mixed with preventative controls that mitigate towards unintended consumption of compromised or malicious OSS. Degree 4 represents controls that mitigate towards essentially the most refined assaults however are additionally the controls which might be essentially the most troublesome to implement at scale—subsequently, these must be thought-about aspirational and reserved in your dependencies in your most crucial initiatives.
The S2C2F features a information to evaluate your group’s maturity, and an implementation information that recommends instruments from throughout the business to assist meet the framework necessities. For instance, each GitHub Superior Safety (GHAS) and GHAS on Azure DevOps (ADO) already present a set of safety instruments that may assist groups and organizations obtain S2C2F Degree 2 compliance.
The S2C2F is important to the way forward for provide chain safety
In keeping with Sonatype’s 2022 State of the Software program Provide Chain report,2 provide chain assaults particularly concentrating on OSS have elevated by 742 % yearly over the previous three years. The S2C2F is designed from the bottom as much as shield builders from unintentionally consuming malicious and compromised packages serving to to mitigate provide chain assaults by lowering consumption-based assault surfaces. As new threats emerge, the OpenSSF S2C2F SIG underneath the Provide Chain Integrity Working Group, led by a staff from Microsoft, is dedicated to reviewing and sustaining the set of S2C2F necessities to deal with them.
Study extra
View the S2C2F necessities or obtain the information now to see how one can enhance the safety of your OSS consumption practices in your staff or group. Come be a part of the S2C2F group dialogue inside the OpenSSF Provide Chain Integrity Working Group.
To be taught extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our skilled protection on safety issues. Additionally, comply with us at @MSFTSecurity for the newest information and updates on cybersecurity.
1Provide chain Ranges for Software program Artifacts (SLSA).
28th Annual State of the Software program Provide Chain Report, Sonatype.