The still young Open Source Security Foundation wants to improve the security of free software with an automated evaluation system.
These in this The Open Source Security Foundation (OpenSSF), founded as a collaboration project of the Linux Foundation, presents its first project: Scorecards, a system for the automated assessment of how secure or risky open source packages are. It arose from the participants’ own experiences of including untested open source code in earlier programming projects – true to the motto: What many have already used will fit.
Helpful for third-party code packages
It was only with the advent of targeted attacks on open source software that people began to realize how risky neglected, unmaintained, or outdated software can be. Nevertheless, in large companies it can often be difficult to trace the history of these packages.
This is where the OpenSSF comes in. It defines special criteria, which will be updated further in the future, according to which a software package can be automatically checked, and assigns them a certain number of points. A score can then also be automatically calculated from this, which a company can then use to decide, for example, whether it wants to use the code or subject it to further checks.
An initial catalog of criteria, which is to be refined in the future with the help of the community and project members, has been published on Github. Criteria such as the existence of a security policy, the collaboration of at least two different organizations, the declaration of dependencies and the like flow into the evaluation. A documentation page describes how the individual tests are implemented. Interested parties are invited to take a look at the Security Scorecards project and give feedback.