As a massive consumer of and contributor to open source, Microsoft understands the importance of a robust strategy around securing how developers consume and manage open source software (OSS) dependencies into their workflow. In August 2022, Microsoft contributed the Secure Supply Chain Consumption Framework (S2C2F) to the OpenSSF, a framework that Microsoft has been using in parallel with the Microsoft SDL to secure its own development practices since 2019, shown below.
The S2C2F is a consumption-focused framework that was created using a threat-based risk reduction approach. The framework identifies a holistic set of 8 solution-agnostic practices to secure the OSS supply chain. Each practice is comprised of requirements that address real-world threats. We then organized the requirements into 4 levels of maturity to allow teams and organizations to more efficiently prioritize their efforts, enabling teams to make intentional and incremental progress toward reducing their supply chain risk.
The S2C2F also includes a process for assessing your team or organization’s maturity, a mapping of S2C2F requirements to 6 other supply chain specifications, and a maturity model-based implementation guide with links to example tools from across the industry. Just like the SDL, tools and processes need to be infused into the developer’s workflow to adhere to the S2C2F requirements and establish a secure OSS ingestion process. Microsoft continues improving the framework in partnership and collaboration with the OpenSSF as part of the Supply Chain Integrity working group.