Session Name: Assessing the Risk of Open-source Components Using Openssf’s Scorecard
"Open source components represent 70-80% of the code of commercial applications. Yet, even though projects have their code open-source, the processes used to run, test, and maintain these are less known. For example, do you know if the log4j project has code reviews to reduce the likelihood of dangerous code being introduced in the codebase? How about the npm-color project?
This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about their use and maintenance of open-source components.
In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. A scorecard is an automated tool that assesses a number of important heuristics (""checks"") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of a project or a dependency. Since it's v4 release in January 2022, Scorecards has been installed on over 800 GitHub repositories as of March 2022 and is recommended by the GitHub documentation to harden workflows.
We will present a live demo of exploitation techniques and Scorecard detection.
Spencer is a software engineer in the Google Open Source Security Team (GOSST). He works on tooling to assess and remediate security risks in consuming open source.