Skip to content

Enhance security guidelines for software supply chain #387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+112 −0
Open

Enhance security guidelines for software supply chain #387

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
58f7dac
Enhance security guidelines for software supply chain
JustinCappos Sep 9, 2025
8850e73
Merge branch 'main' into main
eddie-knight Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions baseline/OSPS-SA.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,3 +269,115 @@ controls:
the project can then think about how to proactively avoid or close off
any gaps/vulnerabilities that could arise.
Ensure this is updated for new features or breaking changes.


- id: OSPS-SA-04
title: |
The project MUST assess the security risks inherent in their software supply chain practices.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might need some wordsmithing to be a little more clear, but I wouldn't block on this if we can't think of anything.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there projects that are doing this well, doing this poorly today? What does good enough look like?

objective: |
Provide project maintainers an understanding of the risks in their software
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this "tooling" specific or should that be removed?

supply chain tooling allows them to plan mitigations to close off the potential
of those threats from occurring.
guideline-mappings:
- reference-id: BPB
entries:
- reference-id: B-S-8
- reference-id: S-G-1
- reference-id: CRA
entries:
- reference-id: 1.1
- reference-id: 1.2j
- reference-id: 1.2k
- reference-id: 2.2
- reference-id: SSDF
entries:
- reference-id: PO.5.1
- reference-id: PW.1.1
- reference-id: CSF
entries:
- reference-id: ID.RA-01
- reference-id: ID.RA-04
- reference-id: ID.RA-05
- reference-id: DE.AE-07
- reference-id: ISO-18974
entries:
- reference-id: 4.1.5
- reference-id: OpenCRE
entries:
- reference-id: 068-102
- reference-id: 154-031
- reference-id: 888-770
- reference-id: PSSCRM
entries:
- reference-id: G4.3
- reference-id: G5.2
- reference-id: P2.1
- reference-id: SAMM
entries:
- reference-id: Governance -Create and Promote Lvl1
- reference-id: Design -Threat Assessment -Application Risk Profile Lvl1
- reference-id: Design -Threat Assessment -Threat Modeling Lvl1
- reference-id: Verification -Architecture Assessment -Architecture Mitigation Lvl2
- reference-id: PCIDSS
entries:
- reference-id: 2.2.4
- reference-id: 2.2.5
- reference-id: 2.2.6
- reference-id: 6.2.1
- reference-id: 6.2.3.1
- reference-id: 6.3.2
- reference-id: 6.4.2
- reference-id: 11.3.1
- reference-id: 12.3.1
- reference-id: UKSSCOP
entries:
- reference-id: 1.4
- reference-id: 3.3
- reference-id: 800-161
entries:
- reference-id: CA-2
- reference-id: CA-2(3)
- reference-id: PM-30
- reference-id: RA-3
- reference-id: SA-11
- reference-id: SA-15
- reference-id: SA-15(3)
- reference-id: SA-15(8)
- reference-id: SI-3
- reference-id: SR-3
- reference-id: SR-3(3)
- reference-id: SR-6
- reference-id: SR-7
assessment-requirements:
- id: OSPS-SA-04.01
text: |
A project MUST perform a security assessment of the software
supply chain security practices of the project. This should
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
supply chain security practices of the project. This should
supply chain security practices of the project to

If we don't introduce new instances of "should" in the title or text fields, I won't have to go back and remove them when I get around to doing that. :-)

examine the most likely and impactful potential security problems
that could occur in the supply chain of the software, including
both the tool.
Comment on lines +357 to +358
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is "including both the tool."?

applicability:
- Maturity Level 2
- Maturity Level 3
recommendation: |
Performing a security assessment informs both project members as well
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a place where we'll really want some reference implementations to direct people to.

as downstream consumers that the project understands what risks it
faces in its software supply chain. Understanding threats helps a
project understand the value of moving to more secure design
practices. Ensure this is updated as practices change.

- id: OSPS-SA-04.02
text: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not clear on what distinction you're drawing between 04.01 and 04.02. It seems like some of 04.02 is duplicative, and if so, we can drop that. Is the idea that 04.02 says "do what you did for 04.01, but also include your dependencies in it"?

The text should also be shorter here, ideally 1-2 sentences, and we can expand in the recommendation if needed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also mean to look at your tooling. Are you using appropriate VCS controls? Are you generating attestations? Is your software update infrastructure compromise-resilient? Do you have a recovery plan for a compromise in these areas?

When the project has made a release, the project MUST perform a
security assessment of their software supply chain practices and
have analyzed their dependencies. This should also include means
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency management should be effective covered by existing controls.

to provide effective security practices for outside contributions.
This needs to include a security assessment of software supply
chain security practices from dependencies.
applicability:
- Maturity Level 3
recommendation: |
Threat modeling of the software supply chain is an essential part
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there existing examples of open source projects doing this well?

of a project's security as a whole. This needs to include some
assessment of dependencies and outside contributions practices.
Ensure this is updated as dependencies and practices are changed.
Loading