How Do You Trust Your Open Source Software?

The presentation discusses the importance of maintaining accurate and detailed information about open-source software used in product development and introduces the About Code Tools specification as a solution.

• Android ecosystem uses public approach to provide information about code base
• About Code Tools specification is a simple and flexible way to convey information about open-source software
• SPX format is a way to exchange information between organizations in the supply chain
• Maintaining accurate and detailed information about open-source software is important for cybersecurity and DevOps
• Enterprise systems and development teams both need to track open-source software information

The Android ecosystem uses certain files in the codebase to provide information about the code base, which is used by phone and tablet vendors to generate notices. The About Code Tools specification is a simple text file with an extension called 'about' that can be used in any system to convey information about open-source software. The SPX format is a way to exchange information between organizations in the supply chain. Maintaining accurate and detailed information about open-source software is important for cybersecurity and DevOps. Both enterprise systems and development teams need to track open-source software information.

Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF https://github.com/ossf Scorecard https://securityscorecards.dev. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.