Scorecards

Usually, few of us think that we are not using any kind of open-source software. But in reality, according to the Synopsys Cybersecurity Research Center (CyRC) 2021 “Open Source Security and Risk Analysis” report (OSSRA), 95% of all commercial programs run using open-source software. Are you all now thinking of how to tell which libraries are safe without a deep code dive? Well then, Google and Open Source Security Foundation (OSSF) have come up with an answer to this, the OpenSSF Security Scorecards.

These Scorecards are based on a set of automated pass or fail checks that can provide a quick review of many different kinds of open-source software projects. What is this Scorecards project actually is? The Scorecards project is an automated tool for security that produces a “risk score” for open-source programs. This score is important as some organizations have systems and processes in place to check new open-source dependencies for any security-related issues. 

When coming to Google, the company also faces a similar problem. As this process is often tedious, manual, and error-prone. Since most of these projects and developers are resource-constrained and so security ends up as a low priority on the task list. And so this leads to critical projects not following good security best practices and becoming vulnerable to explore. 

The Scorecards project hopes to make security checks easier to achieve with the release of Scorecards v2. This includes new security checks, scaling up the number of projects being scored, making the data accessible for analysis. 

These Scorecards help the developers in reducing the manual efforts required for evaluating the changing packages while maintaining a project’s supply chain. It enhances the consumers to make informed decisions about the program making improvements. 

Scorecard has evaluated security for over 50,000 open-source projects until now.  

The project now uses Pub/Sub models which can improve horizontal scalability and higher outputs.  Here is what Scorecards can do

Spotting Risks: 

Scorecards has been adding new checks inspired by Google’s Know, Prevent, Fix framework.

Recognizing malicious contributors: 

The code review helps mitigate any kinds of malicious attacks with the new Branch-Protection check. The developers can easily verify the project from another developer before code is performed. As of now, this check can only run with the help of a repository admin due to GitHub API limitations.

Vulnerable Code:

Sometimes a bad code can enter a codebase and still remain undetected. In such a case the project checks to see if any fuzzing and SAST tools are part of the pipeline.

Building system compromise: 

To handle the risk of untrusted user input, the scorecard token-permission prevention check verifies if the gitHub workflow follows the principle of least by making GitHub tokens only readable by default.

Bad dependencies: 

The simple thing you could do is to know your dependencies and to declare them. With this, you can access the risk to your program and mitigate those risks. Scorecards provide Binary-Artifacts for testing this risk. 

Scorecards also check for the anti-patterns with the Frozen-Deps which helps in mitigating against malicious dependency attacks. The scorecards Automated-dependency-Update checks verifies if the developers rely on such tools to update their dependencies. It is important to know vulnerabilities in a project before using it as a dependency and so Scorecards provide this information free via the new vulnerabilities checks without any subscriptions.