Security Scorecards: What is it and what is new in its new version 2.0?
A few days ago a new version 2.0 from the open source project called "Security Scorecards", which is a project that was launched in November 2020 by Google and Open Source Security Foundation (OpenSSF).
For this reason, in this publication we will delve a little deeper into said project and its new version 2.0, that now has Enhanced testing and capabilities to optimize the data generated for further analysis.
And since this project is in charge of the OpenSSF, we will immediately leave the link of our previous related post with it, so that if necessary, those interested in learning more about said Foundation can easily access it:
"The Linux Foundation has announced the formation of a new project called "OpenSSF" (Open Source Security Foundation) which has as its main objective to bring together the work of industry leaders in the field of code software security enhancement. open. With this, OpenSSF will continue to develop initiatives such as the Infrastructure Initiative and the Open Source Security Coalition (Central Infrastructure Initiative and the Open Source Security Coalition) and will bring together other security-related work being carried out by companies that have joined the project. ." OpenSSF: a project focused on improving the security of open source software
Security Scorecards: Security Scorecards
What is Security Scorecards?
According to one official publication of Google Open Source, this project was described as follows:
""Security Scorecards" is one of the first projects to be published within the OpenSSF framework since its inception in August 2020. The goal is to self-generate a "security score" for open source projects to help Users decide the trust, risk, and security posture for their use case.
Security Scorecards defines an initial evaluation criteria that will be used to generate a scorecard for an open source project in a fully automated way. Every check on the scorecard is actionable. Some of the evaluation metrics used include a well-defined security policy, a code review process, and ongoing testing coverage with fuzzing tools and static code analysis. A Boolean is returned as well as a confidence score for each security check.
Over time, Google will improve these metrics with community contributions through OpenSSF." Security scorecards for open source projects
How does Security Scorecards work?
According to OpenSSF, "Security Scorecards" it works as follows:
Generate a score card for an open source project in a fully automated way. Although, currently the code only works with GitHub software repositories, its expansion to other source code repositories is in the pipeline. Furthermore, some of the evaluation metrics used include a well-defined security policy, a code review process, and ongoing testing coverage with fuzzing tools y static code analysis.
In addition, it periodically evaluates the critical open source projects and exposes the information (data) of the checks through a BigQuery public dataset which is updated weekly. And this data can also be used to augment any automated decision making when entered. new open source dependencies within projects or organizations.
Thus, organizations could decide more optimally That any new dependency with low scores should go through a additional evaluation. So these checks could help mitigate malicious dependencies from being deployed on production systems.
To expand this information from your official source (OpenSSF) you can explore the following link.
What's new in version 2.0
This new version 2.0 has been released shortly after Google will present a comprehensive framework called "Supply chain tiers for software artifacts" (Supply-chain Levels for Software Artifacts - SLSA) which seeks to ensure the integrity of software artifacts and prevent unauthorized modifications during their development and implementation.
And it briefly includes in a general way the following new arrivals:
- Improvement in the identification of possible known risks.
- Strengthened malicious contributor detection through mandatory third-party code review prior to commit.
- Perfecting the detection of vulnerable code through the implementation of static code tests and continuous fuzzing.
- Improvement in the identification of vulnerable dependencies to mitigate possible security risks and allow making the most appropriate decisions for their mitigation.
To delve into the details of the current enhancements or functionalities you can explore the following link.
Summary
We hope this "useful little post" about «Security Scorecards», which is a Project launched by Google and Open Source Security Foundation, who recently released a new version 2.0 that it has enhanced testing and capabilities to optimize generated data for further analysis; is of great interest and utility, for the entire «Comunidad de Software Libre y Código Abierto» and of great contribution to the diffusion of the wonderful, gigantic and growing ecosystem of applications of «GNU/Linux».
For now, if you liked this publicación, Do not stop share it with others, on your favorite websites, channels, groups or communities of social networks or messaging systems, preferably free, open and / or more secure as Telegram, Signal, Mastodon or another of Fediverse, preferably.
And remember to visit our home page at «DesdeLinux» to explore more news, as well as join our official channel of Telegram from DesdeLinux. While, for more information, you can visit any Online library as OpenLibra y jedit, to access and read digital books (PDFs) on this topic or others.