On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework. As a massive consumer of and contributor to open source, Microsoft understands the importance of a robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software. We are pleased to announce that the S2C2F has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Initiative Group (SIG). Our peers at the OpenSSF and across the globe agree with Microsoft when it comes to how fundamental this work is to improving supply chain security for everyone.
What is the S2C2F?
We built the S2C2F as a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real-world threats. One of its primary strengths is how well it pairs with any producer-focused framework, such as SLSA.1 The framework enumerates a list of real-world supply chain threats specific to OSS and explains how the framework’s requirements mitigate those threats. It also includes a high-level platform- and software-agnostic set of focuses that are divided into eight different areas of practice:
Each of the eight practices are comprised of requirements to address the threats and reduce risk. The requirements are organized into four levels of maturity. We have seen massive success with both internal and external projects who have adopted this framework. Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk.
Each maturity level has a theme represented in Levels (1 to 4). Level 1 represents the previous conventional wisdom of inventorying your OSS, scanning for known vulnerabilities, and then updating OSS dependencies, which is the minimum necessary for an OSS governance program. Level 2 builds upon Level 1 by leveraging technology that helps improve your mean time to remediate (MTTR) vulnerabilities in OSS with the goal of patching faster than the adversary can operate. Level 3 is focused on proactive security analysis combined with preventative controls that mitigate against accidental consumption of compromised or malicious OSS. Level 4 represents controls that mitigate against the most sophisticated attacks but are also the controls that are the most difficult to implement at scale—therefore, these should be considered aspirational and reserved for your dependencies in your most critical projects.
The S2C2F includes a guide to assess your organization’s maturity, and an implementation guide that recommends tools from across the industry to help meet the framework requirements. For example, both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance.
The S2C2F is critical to the future of supply chain security
According to Sonatype’s 2022 State of the Software Supply Chain report,2 supply chain attacks specifically targeting OSS have increased by 742 percent annually over the past three years. The S2C2F is designed from the ground up to protect developers from accidentally consuming malicious and compromised packages helping to mitigate supply chain attacks by decreasing consumption-based attack surfaces. As new threats emerge, the OpenSSF S2C2F SIG under the Supply Chain Integrity Working Group, led by a team from Microsoft, is committed to reviewing and maintaining the set of S2C2F requirements to address them.
Learn more
View the S2C2F requirements or download the guide now to see how you can improve the security of your OSS consumption practices in your team or organization. Come join the S2C2F community discussion within the OpenSSF Supply Chain Integrity Working Group.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Supply chain Levels for Software Artifacts (SLSA).
28th Annual State of the Software Supply Chain Report, Sonatype.