Understand and improve your project’s security posture


Hello everyone :turkey:,

Happy holidays to all who celebrated, none the less I hope we all could enjoy some rest! :sleeping:

One thing I am definitely thankful for are consolidated security reports! Imagine finding vulnerabilities manually… yikes, the ability to quickly understand a project’s security posture is important for everyone involved in open source communities.

LFX Security provides a central non-intrusive location for participating parties in open source communities to understand, manage, and maintain best security practices. Enabling project leaders, contributors, governance groups, supporting organizations, and others alike in open source communities to make better decisions, such as:

  • ensuring trusted projects get adopted to a parent project
  • leveraging digital badging to help define stages of project maturity
  • determining how enterprise-ready and sustainable projects are

Today we will cover:

  • accessing projects on LFX Security
  • project security cards and security dashboard
  • tips on improving a project’s security posture

Let’s go! :flying_saucer:

Step 1: Access LFX Security

To access LFX Security features you will need to have a Linux Foundation Community Profile. If you do not have one, you can create one here, on the LFX Homepage:

Once you have logged in to your Community Profile you can access LFX Security using the following link https://security.lfx.dev/

Step 2 Locate your project

You should be on the landing page of LFX Security displaying the Security Leaderboard and project security cards.

Locate the search input directly under the Security Leaderboard and search for the desired project.

Step 3: Review the project security card

In the main view of the projects page, you now see your project’s security card.

The project security cards contain general security aggregations and are available publicly. Project security cards contain:

  • CII Best Practices badge status which can be added to your project here.

  • Total count of found, fixable, and fixed vulnerabilities.

  • Total count of code secrets detected from all scanned repos.

  • The sum amount of non-inclusive language terms living in the project code.

  • Repository count.

Step 4 Access the project dashboard

At the bottom of the project security card, click on the ‘View Dashboard’ button.

You will be directed to our identity verification page, to be granted access to the project security dashboard. The following roles, or roles alike will be granted access:

  • Project maintainer
  • Technical contributor
  • Member organization or committee member

Once you confirm your identity you will be directed to the project’s security dashboard.

Step 5: Review project security dashboard overview

Entering the dashboard you land in the ‘Overview’ page displaying calculated data scores over the project in total:

  • CVSS (Common Vulnerability Scoring System)
    • is the average severity metric for the totality of the project’s vulnerabilities (1:lowest severity, 10:highest severity).
  • Secrets and Compliance Risk Score
    • is the average amount of normalized risk detected for all repos in this project.
  • CII Best Practices Score
    • will display the aggregate CII Best Practice progress of the project.
  • Project Criticality
    • measures the influence and importance of the project in partnership with ossf metrics.
    • this data is used to proactively improve the security posture of high critical projects

Scrolling down you find charts and graphs depicting more information on vulnerabilities, code secrets, and non-inclusive instances.

The 'Non-Inclusive Language’ chart provides data regarding what non-inclusive terms are being used in the project. And the ‘Vulnerabilities Detected’ chart depicts the count and severity level of the project’s vulnerabilities.

You can filter the vulnerability data shown in the vulnerabilities charts and graphs here:

Step 6: Understand and improve your project’s security posture

Now you may be asking yourself how can you use this information? Here are a few tips to help improve a project’s security posture.

  • Use the data to create goals or benchmarks for project adoption.
  • Communicate alternative terms to replace highly used non-inclusive language.
  • Create Github/Gerrit issues to fix as many fixable issues as possible, or dismiss the issue to reduce vulnerability count if deemed a false positive. This can all be done in the issues tab in LFX Security.

What feature in LFX Security do you find most interesting or resourceful?

How were you monitoring and managing Project security prior?