How Do You Trust Your Open Source Software? - Naveen Srinivasan, Endor Labs & Brian Russell, Google
Abstract
Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn’t it be nice to get a score of the dependencies’ health? Enter OSSF https://github.com/ossf Scorecard https://securityscorecards.dev. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.