Security scorecards for open source projects

When developers or organizations introduce a new open source dependency into their production software, there’s no easy indication of how secure that package is.

Some organizations—including Google—have systems and processes in place that engineers must follow when introducing a new open source dependency, but that process can be tedious, manual, and error-prone. Furthermore, many of these projects and developers are resource constrained and security often ends up a low priority on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits. For example, a recent exploit chain in the Chromium browser used a vulnerability in the FreeType package. These issues are what inspired us to work on a new project called “Scorecards” announced last week by the Open Source Security Foundation (OpenSSF).

Scorecards is one of the first projects being released under the OpenSSF since its inception in August, 2020. The goal of the Scorecards project is to auto-generate a “security score” for open source projects to help users as they decide the trust, risk, and security posture for their use case. Scorecards defines an initial evaluation criteria that will be used to generate a scorecard for an open source project in a fully automated way. Every scorecard check is actionable. Some of the evaluation metrics used include a well-defined security policy, code review process, and continuous test coverage with fuzzing and static code analysis tools. A boolean is returned as well as a confidence score for each security check. Over time, Google will be improving upon these metrics with community contributions through the OpenSSF.

Check out the Security Scorecards project on GitHub and provide feedback. This is just the first step of many, and we look forward to continuing to improve open source security with the community.

By Kim Lewandowski, Dan Lorenc, and Abhishek Arya, Google Security team

Scaling deep retrieval with TensorFlow Recommenders and Vertex AI Matching Engine May 1, 2023
Unleash your Google Cloud data with ThoughtSpot, Looker, and BigQuery May 1, 2023
Seeing the World: Vertex AI Vision Developer Toolkit May 1, 2023
BBC: Keeping up with a busy news day with an end-to-end serverless architecture May 1, 2023
Scalable electronic trading on Google Cloud: A business case with BidFX May 1, 2023
Google Cloud and Equinix: Building Excellence in ML Operations (MLOps) May 1, 2023
Effingo: the internal Google copy service moving data at scale May 1, 2023
Evaluating the true cost or TCO of a database — and how Cloud Spanner compares May 1, 2023

November 9, 2020

Google / Open Source

Security scorecards for open source projects

Related Google News: