Microsoft has been adopting the S2C2F policy as its OSS integration policy since 2019. The policy was formerly known as “Open Source Software Supply His Chain Security Framework.”
OpenSSF, a Linux Foundation project concerned with the overall security of the OSS supply chain, adopted its S2C2F strategy. The announcement from OpenSSF states that S2C2F will assist programmers in using his OSS packages for this function.
S2C2F is a platform that helps developers protect themselves from inadvertently consuming vulnerable packages, reducing the consumption-based attack surface and helping to mitigate supply chain attacks.
Microsoft has donated the S2C2F guidelines to OpenSSF. OpenSSF is a community of developers working together to improve security and compliance with the standards set by the OpenSSL Project. The guidelines were created by Microsoft and are now available to be used by developers working on projects using OpenSSL.
OpenSSF’s Supply Chain Integrity Working Group is currently working on a new policy for S2C2F. They believe that the policy should be updated to account for new threats, and they are currently in the process of doing so. ..
The OpenSSF announcement describes S2C2F as a complete guide to securing OSS usage. It provides step-by-step instructions on how to create, deploy, and manage an OSS environment using S2C2F.
The Secure Supply Chain Consumption Framework (S2C2F) provides guidance on how to securely create and consume software. It is based on the concept of the supply chain level of software artifacts, which helps producers and consumers understand the different aspects of a software product’s development and use. ..
