Open Source & More - Blog | Tidelift

Introducing TACOS: Trusted Attestation and Compliance for Open Source

Written by Lauren Hanford | April 4, 2023

In the previous blog posts of this series, I talked about the NIST Secure Software Development Framework and its impact on open source software, and how Tidelift helps organizations comply with this framework for open source software

In this post I want to talk about TACOS. 🌮🌮🌮 

TACOS, in addition to being delicious, are now getting a new meaning as a framework for evaluating and attesting to the secure software development practices of open source packages. Read on to learn more, or visit us here.

Why is open source attestation necessary?

The U.S. government is now requiring companies selling software to the government to start attesting to the secure development practices in place across their software development lifecycle. OMB memorandum M-22-18 set an aggressive schedule for compliance, with organizations being required to provide attestations by June 2023 (for critical software) and September 2023 (for all other software). Furthermore, M-22-18 pointed to the NIST Secure Software Development Framework (SSDF) as the framework for these attestations to follow. Organizations selling software to the government must now not only attest to the secure software development practices being used to create code inside their organizations, but they must also provide the attestations for the open source code they pull into their applications. 

It begs the question: how can an organization selling software to the government and needing to meet these attestation deadlines get the data to confidently attest that the open source components they rely on follow those NIST secure development standards? 

That’s where Tidelift—and our partnered open source maintainers—can help! 

Over the last several years we have built a unique set of relationships with the open source maintainers behind thousands of the most relied upon open source packages. We pay them to implement secure development practices (including many of those required by the NIST SSDF) into their packages. As a result, we have seen consistent measurable improvements to the health of these packages (as measured through the OpenSSF Scorecard project) and to the downstream supply chain that relies on them. 

This approach has helped us clearly identify the type of development standards that lead to meaningful improvements in the overall security and resilience of open source projects. The core of Tidelift’s product is evaluating upstream application libraries against a set of standards, and delivering continuous information on that evaluation.

When the U.S. government published the requirements for attesting to secure development practices, we asked ourselves and our customers, how can we help software producers confidently attest to the secure development practices implemented by independent open source maintainers in the packages they use? How might that be easier to consume and report to the U.S. government? 

So we designed an attestation framework that includes the secure development standards being asked for as part of the NIST SSDF. We’re now making this framework, Trusted Attestation and Compliance for Open Source (TACOS), available as an open source project for everyone to use. 

What is TACOS?

TACOS is a framework for assessing the development practices of open source projects against a set of secure development standards specified in the NIST SSDF. The framework defines a machine-readable specification that can be used as a part of the overall self-attestation requirement to comply with the requirements and deadlines outlined in OMB memorandum M-22-18. 

TACOS is grounded in the NIST SSDF, and draws from the OpenSSF Scorecard project and the Center for Internet Security Software Supply Chain Security Guide as well. At Tidelift, we use TACOS internally to provide this continuous assessment and attestation. The TACOS framework is authored by Tidelift and is a unique outcome of our continued work with partnered maintainers, but all contributions are welcome.

We intend for TACOS to play well by design with SLSA (Supply chain Levels for Software Artifacts) and GUAC (Graph for Understanding Artifact Composition) in this early design phase, and well into the future. The SLSA framework provides a standardized way to attest to artifact provenance, and similarly TACOS provides a standardized way to attest to secure development practices in open source.

What does a TACOS attestation look like?

A TACOS attestation is a simple data structure that contains the attestation metadata and statements attesting to the open source packages’ secure software development practices. (Read the full definition set in the documentation repository, and see the complete field set in the TACOS-spec repository):

{
 "@context": "domain/namespace",
 "@id": "document URL",
 "signature": {"type": "sha256", "digest": "78ab8..."},
 "author": "Firstname Lastname",
 "role": "Attestor",
 "timestamp": "2022-03-23T05:35.37:00+04:00",
 "TACOSversion": "1",
 "application": "HelloWorld",
 "statements": [
   {
     "PackageName": "com.fasterxml.jackson.core:jackson-databind",
  "PackagePlatform": "maven",
  "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind",
     "UpstreamRepositoryURL": "https://github.com/FasterXML/jackson",
     "SPDXLicenseLatestRelease": "Apache-2.0", 
     "LatestRelease": "2.14.2",
     "ReleasesInUse": ["2.14.2, 2.14.0, 2.9.8"],
     "SBOM": [
     {
           "type": "cycloneDX",
           "version": "1.2",
           "format": "XML",
           "DigitalSignatureURL": "https://tidelift.com/packages/maven/com.fasterxml.jackson.core:jackson-databind-latest-cycloneDX.xml.sig",
           "URL": "https://tidelift.com/packages/maven/com.fasterxml.jackson.core:jackson-databind-latest-cycloneDX.xml"
     },
     {
           "type": "SPDX",
           "version": "2.3",
           "format": "SPDX",
           "DigitalSignatureURL": "https://tidelift.com/packages/maven/com.fasterxml.jackson.core:jackson-databind-latest-SPDX.spdx.sig",
           "URL": "https://tidelift.com/packages/maven/com.fasterxml.jackson.core:jackson-databind-latest-SPDX.spdx"
     }
     ],
    "PackageManager2FAEnabled": "True",
    "SourceRepo2FAEnabled": "True",
    "KnownReleasesURL":  "https://tidelift.com/packages/maven/com.fasterxml.jackson.core:jackson-databind/releases-map",
      ... and so on ...   
   }
 ]
}

TACOS is a free framework—not free data

Tidelift partners with open source maintainers and pays them to implement and attest that they follow a clear set of secure development standards—including those outlined in the NIST SSDF. The outcome of this work for software producers is verified, first-party data, adhering to the TACOS attestation framework, that they can use to confidently attest to the security practices of the open source components they rely on.

We’re entering a new era of software accountability with both industry and government-led initiatives for improving software supply chain security converging.

The work effort and the value delivered by open source maintainers must become visible and rewarded in both financial and non-financial ways. This attestation data is extremely valuable, and if TACOS provides a path for more maintainers to be paid to work on it, that's a world we want to live in. We hope you do too!  

Please visit our GitHub repository to learn more about TACOS.