OpenSSF Scorecard
Intro
The OpenSSF is a cross-industry organization that brings together the industry鈥檚 most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.
FOSS or OSS is software which source code anyone can inspect, modify, and enhance
Text
What is Open Source Software?
Authors make its source code available to others who would like to view that code, copy it, learn from it, alter it, share it, and use it
As a user, you also need to comply with a License
Text
What is Open Source Software?
Currently, between the
70-90% of any piece of modern software is FOSS
OpenSSF Projects 馃挭
Scorecard
The goal is to auto-generate a Security Score for open source projects to help users to decide the trust, risk, and security posture for their use case.
The Scorecard
The Scoredcard database is fulfilled in 2 ways:
- Proactively, the projects report to the scorecard the latest changes in the score (via GitHub actions, or CLI commands) in each commit or release
- The OpenSSF proactively runs a cron job towards highly use/very relevant open source projects, to retrieve all security related scores
Data origin 馃敥
The Scorecard evaluates the security of your project based on automated checks related to four scenarios:
The Target
Alongside the scores, the tool provides remediation prompts to help you fix problems聽and strengthen your development practices.
The Scoring
The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.
聽
There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.
The checks
Checks
Holistic security practices
Holistic security practices
Holistic security practices
Source risk assessment
Build risk assessment
Ecosystem
Scorecard Monitor
Simplify OpenSSF Scorecard tracking with automated markdown and JSON reports, plus optional GitHub issue alerts
馃憠 Link
Scorecard API Visualizer
Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
馃憠 Link
鈿掞笍 Toolbox
Use Case
Extra cool tool
Automatically apply security best practices in your GitHub repository
鈿掞笍 What about...?
馃憠 NodeJS
馃憠 React
馃憠 PHP Stan
馃憠 Kubernetes
馃憠 Python
馃憠 Symfony
Are my depencencies healthy?
Resources
Some cool resources 馃
Questions
Thank U!
OpenSSF Scorecard
By Teba G贸mez
OpenSSF Scorecard
Let's talk about the Open Source Security Foundation, the security standards for Open Source software they have stablished and how they foster security awareness through the Scorecard project. And also some cool tools in the ecosystem, including two of my OpenSSF scorecard projects.
