Proactively Securing Open Source: A Practical Guide to OpenSSF Scorecard

With open source software embedded in nearly every product and service, the need for visibility into the security of dependencies has never been greater. For end customers, whether enterprises, developers, or users, there is need for a transparent, data-driven way to evaluate the risk of using open source components.

In this lightning talk, we will dive into the OpenSSF Scorecard (OpenSSF incubated project), an automated security tool that helps open source projects adopt better security practices by providing actionable insights. We will move beyond the theoretical overview and focus more on demonstrating the Scorecard's practical application by running it live on a real-world open-source project and dissect the report to understand the various components that contribute to the project security such as code review, CI testing, signed releases, dependency hygiene, SAST, fuzzing and many more.

This session will empower attendees to leverage OpenSSF Scorecard to proactively assess and enhance the security posture of their own projects or contributions, contributing to a safer and more resilient open-source ecosystem.

Attendees will:

1. Understand the critical role of OpenSSF Scorecard to improve open-source security hygiene and prevent common vulnerabilities.

2. Learn some key security checks that the Scorecard performs, such as Branch Protection, Code Review, SAST, Fuzzing, and Dependency Management, and how these translate to tangible risk reduction.

3. Learn how to install and run the Scorecard, interpret its generated scores and recommendations, and transform it into concrete actions leading to improved project security.