Open source projects are in the spotlight as regulated industries, governments and those that sell to them ramp cybersecurity expectations. Enter Open Source Project Security (OSPS) Baseline!
May 8, 2025
Cross-posted with permission from Open Source Security Foundation
On April 24, the Open Source Security Foundation (OpenSSF) hosted a Tech Talk to help open source maintainers, contributors, and organizations better navigate the growing landscape of security standards and regulations.
Titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations,” the session explored how the OSPS Baseline can be applied to real-world projects—offering practical guidance on enhancing compliance, reducing risk, and building more resilient open source software.
On-demand video is now available.
Open source projects are now squarely in the spotlight as governments and industry ramp up cybersecurity expectations. Yet, open source maintainers—often volunteers—are typically left without clear guidance on how to meet these expectations. Enter the Open Source Project Security (OSPS) Baseline: a maintainer-first, practical framework developed under OpenSSF to help projects improve their security posture while aligning with broader regulations like the EU Cyber Resilience Act (CRA).
Emily Fox (Red Hat) kicked things off by tracing the evolution of security standards—from the 1980s to today’s supply chain attacks—and the challenge of applying these standards to open source. The key takeaway:
“Security and compliance language doesn’t translate easily to open source development. We’ve done a great job finding vulnerabilities—but not preventing them.”
As regulatory pressure increases (e.g., the CRA), open source is being asked to step up—but many projects lack the time, resources, or clarity to do so.
Ben Cotton (Kusari, Baseline SIG Lead) introduced the OSPS Baseline: a set of security controls designed to be:
“We wanted something maintainers could realistically adopt—without feeling overwhelmed or dictated to.”
The Baseline includes 8 categories of controls, a YAML-based spec for tooling, and is developed openly with community feedback.
Tooling is already underway to make evaluation easier:
Megan Knight (Arm, Global Cyber Policy WG Lead) encouraged the community to:
For more information, we encourage you to:
Additional resources mentioned:
The panel closed with a reminder: this work is just beginning. The OSPS Baseline welcomes contributors from all backgrounds—not just security experts. Documentation, policy translation, UX, and education are all essential to making open source security more accessible.
And don’t forget—OpenSSF Community Days are coming up in:
Catch us at Community Days and learn more about the OSPS Baseline there!
Missed the talk? Slides and recordings are available. Watch the on-demand video and download the slides here.
No older posts
No newer posts