CII Best Practices Badge, 1.5 years later

David A. Wheeler

At the Linux Security Summit 2017 I gave a presentation titled “CII Best Practices Badge, 1.5 years later”.  It’s basically a status report about the CII Best Practices badging project.


A few highlights:

* We continue to grow (e.g., in the number of participating projects and the number passing badges).

* In general, the number of passing projects seems to be consistently about 10% of the participating projects.  I’m not sure why!

* The most commonly-missed criteria (at first), among projects close to passing, are now vulnerability_report_process (make sure you tell people how to report vulnerabilities) and sites_https_status (HTTPS).

* The criterion tests_are_added (tests are added for new major functionality) is the third most likely problem (it *was* #1).  Hopefully that’s because more projects are working to create & maintain test suites, but trends are always suspicious when there are only 2 data points J.

* Most importantly: We’re making a difference.  OSS projects are reporting that they’re changing things in their projects to meet the criteria, and as a result improving their project.  In many cases, they kept putting it off (e.g., test suites and HTTPS).  In other cases, they just didn’t think of it (e.g., telling people how to report vulnerabilities).  None of this guarantees that there will never be vulnerabilities, of course, but taking care of these things makes it easier to produce software more resistant to attack & more responsive when vulnerabilities are found – and that helps all of us.


You can see much more here:


Once again, I want to say THANK YOU VERY MUCH for everyone who has participated in this badging project.  No doubt there are improvements that can be made and need to be made.  That’s true for any project J.  But in my mind, the right test for a project is, “is the world a better place because this project exists?”  I believe the badging project is passing that test with flying colors, and that could not have happened without you.  Thank you very much for ALL the effort that ALL of you have put into the badging project.


--- David A. Wheeler