Niels Tanis
Aug 20, 2024

Reviewing 3rd party library security easily using OpenSSF Scorecard

Are your dependencies a security risk? Get an instant security score for any open-source library using OpenSSF Scorecard.

Niels Tanis - Reviewing 3rd party library security easily using OpenSSF Scorecard
#1about 4 minutes

Understanding the inherent risks of third-party dependencies

The vast majority of an application's code comes from third-party libraries, creating significant risk as shown by the Log4j vulnerability.

#2about 2 minutes

How malicious actors infiltrate open source projects

Malicious actors can introduce backdoors into trusted projects over long periods, as demonstrated by the XZ Utils supply chain attack.

#3about 2 minutes

Detecting known vulnerabilities and hidden package dependencies

Tooling can help identify publicly disclosed vulnerabilities, but risks remain from unmanaged or hidden dependencies bundled within packages.

#4about 2 minutes

Introducing OpenSSF Scorecard as a software nutrition label

OpenSSF Scorecard provides a "nutrition label" for open source projects by running automated checks to assess their security posture.

#5about 3 minutes

Breaking down key security checks in Scorecard

Scorecard evaluates projects based on the presence of known vulnerabilities, automated dependency updates, security policies, and the use of testing like fuzzing and SAST.

#6about 3 minutes

Evaluating project health and build process integrity

Scorecard assesses repository health through checks for branch protection, code reviews, contributor diversity, pinned dependencies, and signed releases.

#7about 2 minutes

Applying Scorecard to analyze a real-world package

A practical demonstration shows how to run Scorecard against a popular library like Newtonsoft.Json and use its API to analyze transitive dependencies.

#8about 3 minutes

Correlating Scorecard results with real-world security data

Research shows a strong correlation between higher OpenSSF Scorecard scores and better security outcomes, such as fewer vulnerabilities and more active maintenance.

#9about 3 minutes

Exploring the future of automated security analysis

Future improvements in security tooling should focus on deeper analysis like coverage-based fuzzing, data-flow SAST, build reproducibility, and community-based auditing.

#10about 1 minute

Final takeaways on integrating Scorecard into your workflow

Scorecard is a valuable tool for assessing project health but should be used as part of a broader security strategy, not as an end goal.

Related jobs
Jobs that call for the skills explored in this talk.
today
Principal Backend Engineer (Node.js)
Almedia
Berlin, Germany
Senior
today
Junior Python Backend / GenAI Support Intern
Eltemate
Amsterdam, Netherlands
Junior
yesterday
Senior Researcher for Generative AI
Dynatrace
Linz, Austria
Senior

Related Videos

Fireside Chat: Can Regulation Improve Accessibility? - Léonie Watson00:00
Léonie Watson — 2 days ago
Fireside Chat: Can Regulation Improve Accessibility? - Léonie Watson
WeAreDevelopers LIVE – Real-Time Phone Agents, Unsafe VPNs & More00:00
Chris Heilmann, Daniel Cranney & Marius Obert — 7 days ago
WeAreDevelopers LIVE – Real-Time Phone Agents, Unsafe VPNs & More
Minimal infrastructure for Real‑Time Phone Agents: transcripts in, responses out00:00
Chris Heilmann, Daniel Cranney & Marius Obert, Staff Developer Evangelist at Twilio — 8 days ago
Minimal infrastructure for Real‑Time Phone Agents: transcripts in, responses out