Hi all,
A while ago, I came across the Core Infrastructure Initiative Badge
Program, which awards a badge to open source projects that follow a set
of best practices that shows the project's commitment to security.
According to their web site
(https://www.coreinfrastructure.org/programs/badge-program): " The Core
Infrastructure Initiative (CII) Badge Program is a free program designed
with the open source community with criteria that evolves to allow for
compensating controls rather than a strict mechanical process. The Best
Practices Badge is an open source secure development maturity model.
Projects having a CII badge will showcase the project's commitment to
security."
I wanted to see if there was interest in investigating what steps would
need to be taken to earn a badge for the Evergreen project. The criteria
for the badge is available at
https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md.
Scanning through the list, I see many criteria that we are already meeting.
I have a couple of reasons for wanting to pursue this badge:
- Running through the criteria list should be a useful exercise that
will help us see what the strengths of our project are and where we need
to improve. If we focus on improving the areas where we don't initially
meet the criteria, it will help to strengthen our project.
- If we earn a badge, it can provide assurance to our users and to
prospective users that we are a mature project that is following best
practices identified by the open-source community as preferred
standards. The badge is evidence that we do indeed follow recommended
quality assurance practices and are committed to providing secure software.
If there is interest, maybe a few of us can divide up the list of
criteria to identify ones we are already meeting and ones that we need
to work on.
Let me know what you think.
Kathy
--
Kathy Lussier
Project Coordinator
Massachusetts Library Network Cooperative
(508) 343-0128
kluss...@masslnc.org
Twitter: http://www.twitter.com/kmlussier
