This is the Trace Id: c56a0203ef2aa8ef421440d1bac1aa76

Secure Supply Chain Consumption Framework (S2C2F)

The Secure Supply Chain Consumption Framework (S2C2F) is a security assurance and risk reduction process that is focused on securing how developers consume open source software.

Who is this intended for? This is a consumption-focused secure supply chain framework using a threat-based risk-reduction approach. The S2C2F aims to prevent the consumption of compromised and malicious OSS packages, and decrease the Mean Time To Remediate (MTTR) for addressing known vulnerabilities in OSS. The S2C2F provides security guidance and tools throughout the developer inner-loop and outer-loop processes. 

The OpenSSF S2C2F is based on three core concepts—control all artifact inputs, continuous process improvement, and scale:

Diagram.jpg

Control All Artifact Inputs

There are a myriad of ways that developers consume OSS today: git clone, wget, copy & pasted source, checking-in the binary into the repo, direct from public package managers, repackaging the OSS into a .zip, curl, apt-get, git submodule, and more. Securing the OSS supply chain in any organization is going to be near impossible if developer teams don’t follow a uniform process for consuming OSS. Enforcing an effective secure OSS supply chain strategy necessitates standardizing your OSS consumption process across the various developer teams throughout your organization, so all developers consume OSS using governed workflows.

Continuous Process Improvement

To help guide organizations through continuous process improvement, we have organized the S2C2F into a maturity model. Because security risk is dynamic and new threats can emerge at any time, the S2C2F places heavy emphasis on understanding the new threats to the OSS supply chain and requires regular evaluation of OSS SSC processes and introduction of changes in response to new technology advancements or new threats.

Scale

The OpenSSF S2C2F tools were developed to secure how developers consume OSS today at scale without requiring a central internal registry or central governance body.

Download the guide

The S2C2F is a combination of processes and tools for any organization to adopt, along with a capability maturity roadmap to help establish a secure OSS ingestion process to protect developers from OSS Supply Chain threats, and to establish a governance program to manage your organization’s use of OSS.