The Open Source Security Foundation (OpenSSF) announced the acceptance of Microsoft's Secure Supply Chain Consumption Framework (S2C2F)

The Open Source Security Foundation (OpenSSF) announced the acceptance of Microsoft's Secure Supply Chain Consumption Framework (S2C2F), a framework for consuming open source software, on Wednesday.

S2C2F, which has been in use at Microsoft since 2019 and will be made public in August 2022, identifies real-world risks to open source software (OSS) and provides mitigation measures.

To mitigate supply chain risks to the OSS, the consumption-focused framework employs a threat-based, risk-reduction strategy.

Ingestion, inventory, updates, enforcement, audit, scanning, rebuilding, and mending are among the eight practice areas covered by the framework (upstream).

Each of them consists of four degrees of maturity, including fundamental governance procedures (OSS inventory, vulnerability scanning, and dependency updates), increasing mean time to remedy (MTTR) vulnerabilities in OSS, proactive security analysis and controls, and mitigation against sophisticated assaults.

"Teams and organizations may more effectively prioritize their activities in line with the maturity model by using the S2C2F."

"Because the framework allows teams to target a certain degree of compliance, they can make purposeful and gradual progress toward decreasing supply chain risk," Microsoft notes.

The framework also contains information to assist businesses in determining their degree of maturity, as well as an implementation guide with suggestions on industry tools that may assist organizations in meeting the framework's standards.

S2C2F is intended to safeguard developers from unintentionally utilizing harmful or compromised packages, hence minimizing supply chain assaults.

The OpenSSF S2C2F special interest group (SIG) will update the S2C2F specifications to address growing concerns, headed by a Microsoft team.

"One of its key features, and one of the reasons we were so thrilled to include it in the OpenSSF, is how well it matches with any producer-focused framework, such as SLSA [supply chain levels for software artifacts]."

"For example, S2C2F's Level 3 demand for provenance of all dependence objects may be met via generating artifact provenance in a way that is recognized trustworthy by SLSA," OpenSSF explains.