To guarantee the secure usage of open source software (OSS) by developers, the Open Source Security Foundation (OpenSSF) announced on Wednesday that it has approved the Secure Supply Chain Consumption Framework (S2C2F).
Microsoft has been adopting S2C2F as its OSS integration policy since 2019. According to Microsoft Chief Technology Officer Mark Russinovich on Wednesday, it was formerly known as “Open Source Software Supply His Chain Security Framework.”
It is noteworthy that OpenSSF, a Linux Foundation project concerned with the overall security of the OSS supply chain, adopted his S2C2F strategy. The announcement from OpenSSF states that S2C2F will assist programmers in using his OSS packages for this function.
S2C2F is built from the ground up to protect developers from inadvertently consuming vulnerable packages (including malicious or compromised packages), reducing the consumption-based attack surface Helps mitigate supply chain attacks.
Microsoft has donated the S2C2F guidelines to OpenSSF. Founding members of OpenSSF include “GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat”, as described in the OpenSSF FAQ.
S2C2F is currently supported by OpenSSF’s Supply Chain Integrity Working Group, which has its own Special Interest Group. Participants plan to change the S2C2F policy as new OSS threats emerge.
The OpenSSF announcement describes S2C2F as a “complete guide” to securing OSS usage.
The Secure Supply Chain Consumption Framework (S2C2F), coupled with vendor-centric and artifact-centric frameworks such as the Supply Chain Level of Software Artifacts (SLSA), provides software producers and consumers with the ability to securely create and consume software. Provides complete guidance on how to