In an effort to enhance “supply chain security for everyone,” Microsoft announced that the Open Source Security Foundation (OpenSSF) of the Linux Foundation has adopted its Secure Supply Chain Consumption Framework (S2C2F).
With the approval of the framework by the OpenSSF, Adrian Diglio, principal program manager for secure software supply chain at Microsoft, explained that “the community it serves may now have a hand in extending and improving it.”
In its own open source software (OSS) development processes, the No. 2 cloud giant has been using S2C2F for the past three years. As “a massive consumer of and contributor to open source, Microsoft understands the importance of a robust strategy around securing how developers consume and manage OSS dependencies when building software.”
the hyperscaler will work with other members of OpenSSF and the organization’s community to maintain the framework. Microsoft will continue to serve as the group’s leader. As necessary, we will also work closely with the other OpenSSF Working Groups, such as the Best Practices and End Users WGs, said Diglio.
The consumption-centric framework, which was embraced by OpenSSF’s Supply Chain Integrity Working Group, employs a threat-based mitigation strategy to lessen actual cyber threats. This framework describes how the requirements address potential supply chain threats related to OSS and identifies and lists those threats.
The main component of any development team’s or organization’s software supply chain, is the use of open source software. “The S2C2F criteria provide clarity and empower teams throughout the world to We will be able to take action to improve security,” he continued. Workflows for developers should include open source.