Publicity

Here are some examples of where the CII best practices badge has been publicly discussed. This includes our efforts to let people know about it, as well as others' public discussion about it that have reached many people. They are listed here in reverse chronological order:

• CHAOSSCast 10: Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler, 2020-07-24
• "Why CII best practices gold badges are important", 2020-06-17
• The Zephyr section of the Delft Students on Software Architecture: DESOSA 2019 2019-12-20 (an architecture class' team report where they examined open source software projects notes the CII Best Practices badge work: "In conclusion, Zephyr could serve as a role model not only for Real-time Operating Systems, but also for open-source software projects in general... They follow some of the [CII best] practices as can be seen from their gold badge and this process goes a long way in avoiding technical debt."
• FLOSS Weekly 550: CII Best Practices Badge Update, 2019-10-12
• FLOSS Weekly 522: Railroader primarily discussed the Railroader project, but it also touched on the continued progress of the CII Best Practices badge.
• Core Infrastructure Initiative (CII) Best Practices Badge in 2019 by David A. Wheeler (2019-03-14) was a presentation at the Linux Foundation's Open Source Leadership Summit 2019 in Half Moon Bay, CA. This gave the latest status about the badging project.
• A Sample Security Assurance Case Pattern (2018) discusses how to create secure software by applying an assurance case, and uses the Badge Application's assurance case as an example.
• An introduction to the CII Best Practices Badge by David A. Wheeler, 2018-11-01
• "The Only Linux Foundation CII Gold Rated Project Is a .. PHP Markdown Parser" on Hacker News (2018-10-06). This was a posting by reindeerer, who later explained that his point was "Certainly not knocking on the badge or the practices. I just found it amusing that PHP often gets a bad rap, but then shows up at the top of the listed projects for objectively good development practices." This included a few interesting comments:
  • exikyut said, "I just found and read through the criteria list. It's mind-bogglingly exhaustive, but in a very good way, and an excellent catalyst for maintainable, secure software. I'd regard it as universally applicable to any and all code."
  • reindeerer said, "Best practices are a bit like good genes. By no means a guarantee of success, fame, glory and riches, but damn if they don't make things easier."
  • throwaway2048 said, "I see absolutely nothing dogmatic or cargo cult about the recommendations they make. They are completely sensible, and a decent guideline for improving the technical support infrastructure of a project."
• "Should R Consortium Recommend CII Best Practices Badge for R Packages: Latest Survey Results" by Mark Hornick (July 26, 2018), R Consortium Project blog
• "How to Develop Secure Applications: The BadgeApp Example" (video) by David A. Wheeler, 2017-09-18
• "CII Best Practices Badge, 1.5 years later" by David Wheeler, Linux Security Summit 2017, Los Angeles, CA, 2017-09-14
• "CII Best Practices Badge, One year later" by David Wheeler, Open Source Leadership Summit 2017, Lake Tahoe, CA, 2017-02-14. There also a video available.
• Open Source Security podcast episode 14 - David A Wheeler: CII Badges. Here's a nice quote: "This is a fantastic project... I think it is one of the most important security things going on today without question... folks go get your badges and make the world a better place..."
• "Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy" by Paul E. Black, Lee Badger, Barbara Guttman, and Elizabeth Fong, November 2016, NISTIR 8151 said the following in section 3: "Software can also benefit from the programs and criteria of third-party, non-governmental organizations. Some possibilities (include the)... Core Infrastructure Initiative (CII) Best Practices badge..."
• "Report of the Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM-RSV)" by Paul E. Black and Elizabeth Fong, November 2016, NIST Special Publication 500-320 said the following in section 1.3.6: "Participants judged that software could benefit from the programs and criteria of widely-accepted non-governmental organizations. Some possibilities are UL’s Cybersecurity Assurance Program (CAP), Consortium for IT Software Quality (CISQ) Code Quality Standards, and (the) Core Infrastructure Initiative (CII) Best Practices badge."
• "How OPNFV Earned Its Security Stripes and Received a CII Best Practices Badge", Linux.com, September 12, 2016
• "Linux Foundation Core Infrastructure Initiative (CII) Best Practices Badge" by Dr. David A. Wheeler, Software and Supply Chain Assurance Forum, 2016-09-14
• The ChangeLog #215: Core Infrastructure Initiative Best Practices Badge with David A. Wheeler
• "Open Source best practices criteria", Brandon Keepers (atom text editor), 2016-07-03. He said, "This is a great project and is receiving adoption in some circles..." and had two suggestions: "It needs a shorter and catchier name so I can tell more people about it" and "The project could benefit from more automation and autodetection." (David A. Wheeler agrees with both points.)
• "Preventing the next Heartbleed and making FOSS more secure", interview by Mark Bohannon of David A. Wheeler, 2016-06-22, opensource.com
• "Core Infrastructure Initiative (CII) Best-Practices Badge Criteria" by David A. Wheeler, June 28, 2016, IDA NS D-8054
• "How to Get an Open Source Security Badge from CII" by Emily Ratliff and David A. Wheeler, linux.com, 2016-06-01
• "Core Infrastructure Initiative best-practices badge" by David A. Wheeler, LWN.net, 2016-06-08
• "Best Practices Badge", FLOSS Weekly 389, 2016-05-24
• "The Dave and Gunnar Show: Badge of Open Source Honor", 2016-05-10
• "CII’s Best Practices badge program is making open source projects more secure" by Swapnil Bhartiya, CIO, May 3, 2016
• "Linux Foundation launches badge program to boost open source security" by Charlie Osborne, May 3, 2016
• "Free Badge Program Signals What Open Source Projects Meet Criteria for Security, Quality and Stability" (Linux Foundation Press release), 2016-05-03

Also look at our list of videos