On November 6, 2020 (local time), the open source security foundation OpenSSF, which also participates in Google, released Security Scorecards that can automatically evaluate the safety of open source projects.
In the open source software development field, you can use other packaged open source software features rather than writing code from scratch. The way an object behaves according to another object is called a dependency.
Even major IT companies such as Google can include open source project dependencies in their software, but it is quite difficult to determine if a package is secure. It is pointed out that even Google is struggling to introduce dependencies, so security is often a backfire in open source project development sites where small-scale resources are limited.
Following this awareness, the Security Scorecard was announced as the first open source project commemorated by OpenSSF, which was launched in August 2020. The security scorecard was developed with the main purpose of making better judgments on security issues associated with using open source projects and to properly evaluate project health. When using a security scorecard, security scores for open source projects are automatically generated, making the risk and security level easier than before when introducing new dependencies.
When using a security scorecard for a project, it automatically checks 12 items, including whether the project includes a security policy, whether there are at least two participants from at least two different organizations, and whether a dependency is being declared. It is evaluated with a reliability score up to the point.
There have also been reports of malicious open source components disguised as generic packages in October 2020. OpenSSF says efforts such as security scorecards will help mitigate the risk of malicious dependencies creeping into operational systems. The security scorecard now works only in the GitHub repository, but OpenSSF said it plans to develop the security scorecard in other source code repositories in the future. Related information can be found here .
Add comment