The Open Source Security Foundation (OpenSSF), founded this summer as a collaboration project of the Linux Foundation, is presenting its first project: Scorecards, a system for the automated assessment of how secure or risky open source packages are. It arose from the personal experience of those involved to incorporate unchecked open source code in previous programming projects – true to the motto: What many have already used will be fine. Helpful with third-party code packages Only with the advent of targeted attacks on open source software did an awareness gradually emerge as to how software can be risky neglected, neglected, or not updated. However, in large companies it can often be difficult to understand the history of these packages.

This is where the OpenSSF comes in. It defines special criteria, which will be updated in the future, according to which a software package can be automatically checked, and assigns them a certain number of points. A score can then also be automatically calculated from this, on the basis of which a company can then decide, for example, whether it wants to use the code or subject it to further checks.

After these criteria have been automatically checked, the resulting score helps during the security assessment of the software.

(Image: OpenSSF)

A first catalog of criteria that will be used in the future with the help of Community and project members to be refined is published on Github. Criteria such as the existence of a security policy, the involvement of at least two different organizations, the declaration of dependencies and the like are included in the assessment. A documentation page describes how the individual tests are carried out. Interested parties are invited to take a look at the security scorecards project and give feedback.

(ur)