I propose that for the "hardened_sites" criterion we stop requiring the HTTP header X-XSS-Protection, and that we require CSP & explain why. Here's the background. The Linux kernel is failing to meet

This change makes perfect since. Best, Jason N. Dossett, Ph.D. Research Staff Member Institute for Defense Analyses 4850 Mark Center Drive, Alexandria, VA 22311 Phone: 703-578-2773 Email: jdossett@...

This is an automated monthly status report of the best practices badge application covering the month 2020-04. Here are some selected statistics for most recent completed month, preceded by the same s

This is an automated monthly status report of the best practices badge application covering the month 2020-03. Here are some selected statistics for most recent completed month, preceded by the same s

All: As of today, I am a full-time employee of the Linux Foundation. My official title is "Director, Open Source Supply Chain Security". Basically, I'm going to working full-time on various efforts to

This is an automated monthly status report of the best practices badge application covering the month 2020-02. Here are some selected statistics for most recent completed month, preceded by the same s

FYI, we have implemented some simple spam countering mechanisms on the best practices badge application. Most trivially, whenever someone tries to create a project badge entry, they now see this: We'v

This is an automated monthly status report of the best practices badge application covering the month 2020-01. Here are some selected statistics for most recent completed month, preceded by the same s

CII Badging community, I just updated the ESAPI project on the CII Badges site to account for a newly discovered CVE. Specifically, I added this verbiage: Most Software Compositional Analysis tools /

David, et al, Does the username / password for https://bestpractices.coreinfrastructure.org/ now require it to be done via GitHub? I just tried to login using my Gmail account (which was how I registe

Some of you may have noticed that the “Total Projects” went down last month (2855 to 2852), but the number of projects at 25%+ went up (1089 to 1114). The explanation is that we’ve been working to del

This is an automated monthly status report of the best practices badge application covering the month 2019-12. Here are some selected statistics for most recent completed month, preceded by the same s

Sadly, spammers have started to add nonsense "projects" to the CII Best Practices site at a higher rate than before. It appears to be all SEO-related fraud. I suppose that was inevitable, and I guess

This is an automated monthly status report of the best practices badge application covering the month 2019-11. Here are some selected statistics for most recent completed month, preceded by the same s

This is an automated monthly status report of the best practices badge application covering the month 2019-10. Here are some selected statistics for most recent completed month, preceded by the same s

A very few of our criteria mention CVSS (a method for estimating the risk from a vulnerability). For example, [dynamic_analysis_fixed] says this: CRITERION: "All medium and high severity exploitable v

This is an automated monthly status report of the best practices badge application covering the month 2019-09. Here are some selected statistics for most recent completed month, preceded by the same s

FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should

This is an automated monthly status report of the best practices badge application covering the month 2019-08. Here are some selected statistics for most recent completed month, preceded by the same s

The Court of Justice of the European Union (ECJ) has ruled that online websites that embed a Facebook "Like" button are responsible for the data they send to Facebook and are liable for the same penal