How OpenSSF Scorecards can help to evaluate open-source software risks | #linux | #linuxsecurity

Everyone knows the phrase “software is eating the world” by Marc Andreessen from over a decade ago. Software powers and touches nearly every aspect of modern society, both personally and professionally, and is critical to the modern economy and national security.

It can also be said that open-source software (OSS) has eaten the software industry. The Linux Foundation and other groups have estimated that free and open-source software (FOSS) constitutes 70% to 90% of any modern software product. Not only is modern software largely composed of OSS components, but IT leaders are more likely to work with vendors who also contribute to the OSS community.

OSS use is rampant because of its flexibility, cost savings, innovation through community enabled projects, and arguably better security through more eyeballs on the code, especially for large OSS projects. That said, OSS comes with its own concerns, including Common Vulnerabilities and Exposures (CVEs) for affected code.

CVE is a project by MITRE that strives to “identify, define and catalog publicly disclosed cybersecurity vulnerabilities.” However, as the Cloud Native Computing Foundation (CNCF) Software Supply Chain Best Practices whitepaper notes, CVEs are a “trailing metric,” meaning they enumerations vulnerabilities that have been publicly disclosed. They are also just one type of risk associated with software.

For this reason, organizations should use other methods to evaluate the state of security for OSS projects they consume. One of the most notable is the Open Source Security Foundation’s (OpenSSF’s) Scorecards project.

What is OpenSSF Scorecards for open-source projects?

Announced in late 2020, Scorecards aims to auto-generate a security score for OSS projects to help consumers and organizations make risk-informed decisions about their OSS consumption. Organizations are making overwhelming use of OSS dependencies but determining the risk of consuming those dependencies remains a largely manual activity, particularly at scale across the software ecosystem. The Scorecards project seeks to alleviate some of that burden using automated heuristics and security checks on a scoring scale of 0 to 10. It does this while assessing OSS projects for security concerns that align with best practices such as signing or SAST, already advocated for by both public and private security leaders.

Copyright © 2022 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

55 + = sixty five