How do you trust your open source software?

Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. 

The OpenSSF Scorecard is an automated tool that assesses several important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen the security posture of a project or a dependency. Since its v4 release in January 2022, Scorecards has been installed on over 900 GitHub repositories as of March 2022 and is recommended by the GitHub documentation to harden workflows.

Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF https://github.com/ossf  Scorecardhttps://securityscorecards.dev. 

The scorecard project runs a weekly scan of 1M critical projects, and we will provide some findings about the results. Developers can use these public results to assess the risk associated with dependencies, with a real example of projects doing that today.

By attending this session, you will learn how to trust an open source project based on Scorecard results and obtain Scorecards for projects you use. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies.