Introducing 'Security Scorecards' that automatically evaluates the security of open source projects in one shot
On November 6, 2020, the
Security Scorecards for Open Source Projects --Open Source Security Foundation
https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/
Security scorecards for open source projects | Google Open Source Blog
https://opensource.googleblog.com/2020/11/security-scorecards-for-open-source.html
In the development field of open source software, rather than writing code from scratch, it is possible to use the function of another open-source software that is packaged there . The mechanism by which one object depends on another object in this way is called a ' dependency '.
Even major IT companies such as Google sometimes incorporate dependencies into open source projects in software, but checking whether a package is safe is a very painstaking task. Even Google is struggling to implement dependencies, so security is often secondary to small, resource-constrained open source project development sites, Google's products. Manager Kim Lewandowski points out.
Lewandowski himself confessed on the official OpenSSF blog that when he was a fledgling engineer, he had created his own website by incorporating appropriate packages without thinking about security. In response to this awareness of the problem, OpenSSF, which was launched in August 2020, released ' Security Scorecards ' as the first open source project to commemorate.
Security Scorecards was developed with the goal of making better decisions about the security issues associated with using open source projects and allowing them to reassess the health of their projects. Security Scorecards automatically generates 'security scores' for open source projects, making it easier than ever to evaluate risks and security when introducing new dependencies.
When using Security Scorecards for a project, 12 items including 'whether the project contains a security policy', 'whether there are contributors from at least two different organizations', 'whether a dependency is declared, etc.' Is automatically checked, and it will judge 'pass / fail' and score with 'trust score of 0 to 10'.
In October 2020, there were reports of cases such as 'malicious open source components disguised as legitimate packages were on the market,' and OpenSSF said, 'Efforts like Security Scorecards have malicious dependencies in the production system. It helps reduce the risk of sneaking into. '
Security Scorecards currently only works with GitHub repositories, but OpenSSF plans to continue developing Security Scorecards so that it can be used with other source code repositories in the future.
Related Posts:
