FAQ

The S2C2F is a combination of processes and tools for any organization to adopt to help establish a secure OSS ingestion process to protect developers from OSS Supply Chain threats and to help establish a governance program to manage your organization’s use of OSS. The framework is based on three core concepts: control all artifact inputs, continuous process improvement, and scale.

We define OSS as any source code, language package, module, component, library, or binary that you can consume into your software project as a dependency that does not have a paid-support contract. We don’t factor in the license of code into this discussion because the availability of support is more important from a security point-of-view than the terms of redistribution.

Our framework provides the support and implementation guidance to protect your supply chains and prevent open source software threats from compromising your organization’s software and development environment. The framework includes solution-agonistic practices – suited for individuals like compliance/risk managers, security managers, engineering managers, and Chief Information Security Officers – plus an implementation guide with recommended tooling – suited for software developers, Continuous Integration and Continuous Development administrators, and security practitioners.

The S2C2F does not provide guidance on how to secure your DevOps workflows, how to secure your build infrastructure, or how to secure the code you author.

We want to make this framework contributable and open as much as possible, and towards this effort, we plan to work with industry organizations such as the OpenSSF.

To view our contribution guidelines and when public meetings are held, please view our GitHub repository. Updates to the whitepaper, suggestions for updates, or discussion for updates should initiate with an issue submitted to the repository per contribution guidance.

There are many threats targeting open source software. Please see the Open Source Software Threats page to learn about some real life example threats and how the S2C2F can protect you against them.

Since Microsoft began implementing the S2C2F, we saw dramatic improvement in Mean Time To Remediate (MTTR) for resolving OSS vulnerabilities after implementing features such as vulnerabilities as comments in Pull Requests (PRs) and automated OSS patching. We also measured 3,000% improvement in Mean Time To Respond (MTTR) to malicious OSS incidents where we block further ingestion, query our inventory to identify affected teams, and perform appropriate response actions. 

DevSecOps - or development, security, and operations – is a great way to secure your organization’s software and development environments holistically. However, there are many threats specific to leveraging Open Source Software, so the S2C2F details a separate set of practices tailored to these scenarios that DevSecOps traditionally does not target.

Microsoft published the SDL to provide guidance on how to produce secure code throughout the development process. Now, we are providing a dedicated framework to enhance any organization’s OSS governance program to address secure supply chain threats for how developers ingest external OSS components, such as NuGet and NPM. The S2C2F should be thought of as an extension to SDL and DevSecOps. 

Across the software industry today, developers are using and relying upon OSS components to expedite developer productivity and innovation – which makes OSS a critical piece of any software’s supply chain. However, cyberattacks that specifically target open source are growing at an exponential rate, as they are trying to abuse these package manager ecosystems to either distribute their own malicious components or to compromise existing OSS components. 

The S2C2F is focused on securely consuming OSS and makes an excellent bridge to other producer-focused supply chain security frameworks. This is complementary to all other frameworks to achieve and exceed compliance with NIST SSDF and the recent Cybersecurity Executive Order.