Several studies shown that round 80% of our applications consist of other people's code. With using any 3rd party package (e.g. NPM, Maven, Cargo, NuGet, PyPi) that is developed by others, we also put a lot of trust in it, which might result in bigger security problems later. Would it not be nice if there is a better way to review a package for security? An easier way to perform an assessment based on certain aspects of the package that will tell you more about the package its software security. With the introduction of Scorecard project the Open Source Security Foundation (OpenSSF) exactly tries to achieve that. In this session we start out with different area's covered by of OpenSSF Scorecard, like how well it's maintained, does the build have dangerous workflows, and does the project use other security tools to check for problems?. All combined will give us the ability to assess a 3rd party package its security posture more easily and improve our own application security.