logo
securityArticlesConferencesPresentations

Assessing the Risk of Open-source Components Using OpenSSF's Scorecard

Conference:  SupplyChainSecurityCon 2022

2022-06-21

Authors:   Naveen Srinivasan, Laurent Simon

Summary

Scorecard is a tool that helps users assess the security of their open source projects and dependencies on GitHub.
  • Scorecard checks for good practices, authentication, and over-privileged CI runs.
  • Scorecard flags empty patterns and warns about secrets in pull requests.
  • Scorecard can be installed as a GitHub action for projects and dependencies.
  • Scorecard alerts users to potential risks, such as unmaintained dependencies.
  • Scorecard is configurable and can be used to enforce policies at scale.
  • Scorecard plans to add support for more languages and improve configurability.
Scorecard can detect if fuzzing is being used in a project's CI and give a score of 10 if it is. The team is also planning to add support for more languages in the future.

Abstract

Open source demand continues to explode. Developers worldwide will request open-source packages, representing a 73% YoY growth in developer downloads of open source components. Yet, even though projects have their code open-source, the processes used to run, test, and maintain these are less known. For example, do you know if the log4j project has code reviews to reduce the likelihood of dangerous code being introduced in the codebase? How about the npm-color project? This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about their use and maintenance of open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of a project or a dependency. Since it's v4 release in January 2022, Scorecards has been installed on over 800 GitHub repositories as of March 2022, and is recommended by the GitHub documentation to harden workflows.
Materials:
Slides
Tags:
Open Source
demand
Developers
downloads
growth

Post a comment

Related work

How Do You Trust Open Source Software?

Conference:  RSA Conference 2023
Authors: Brian Russell, Naveen Srinivasan
2023-04-24

How Do You Trust Your Open Source Software?

Conference:  Cloud Native SecurityCon North America 2023
Authors: Naveen Srinivasan, Brian Russell

Panel Discussion: How the Business Community is Working to Make the Open Source Software Supply Chain More Secure by Default

Conference:  SupplyChainSecurityCon 2022
Authors: Jory Burson, Andrew Aitken, Jeffrey Borek, Rao Lakkakula
2022-06-21

Smarter Golden Signals!

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Venkata Gunapati, Anusha Ragunathan
2023-04-21

Picking Lockfiles: Attacking & Defending Your Supply Chain

Conference:  BlackHat USA 2021
Authors:
2021-11-11

From Storming to Performing: Growing Your Project's Contributor Experience

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Karen Chu, Matt Butcher
2021-10-14