The Core Infrastructure Initiative (CII), a collaborative project run by the Linux Foundation, is aiming to develop a free security best practices program for open source software.
Known as the Best Practices Badge Program, the CII said open source project maintainers will get an automated tool to run and answer a short questionnaire to assess development practices, use of change control tools, attention to quality and focus on security.
One of the metrics considered for the Badge program is Red Hat community Linux distribution Fedora engineering manager Tom Callaway's FAIL index.
This scores typical fail points such as projects having no publicly available source control like Apache Subversion, lack of documentation on how to build software from source, no mailing list or no per-file licensing.
The Badge Program is also considering researchers Charles Schweik and Robert English's quantitative analytical work Internet Success on how some OSS projects succeed while others are abandoned.
It is also looking at the Stol and Babar evaluation framework and the QualiPSO Open Source Maturity Model, among several others, to develop the criteria for the software security quality scheme.
Open source projects awarded a CII Best Practices Badge will help users to quickly tell which prioritise security-conscious development.
The CII has published a first draft of the criteria it is considering for the Badge Program on Github, and has set up a mailing list for discussion.