Open Source Security Foundation (OpenSSF) Scorecards provide a way for open source users to determine whether maintainers are being diligent about securing their link in the software security supply chain. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
This presentation will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across and organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
SOOCon24 - Showing that you care about security - OpenSSF Scorecards
1. Showing that you care about security
OpenSSF Scorecards - Chris Swan
https://stateofopencon.com/ #stateofopencon #soocon24 #openuk
https://hachyderm.io/@openuk
5. Agenda
• Who are OpenSSF, and what is a scorecard?
• Start with Allstar
• Doing your first repository
• Scaling across multiple repositories
• 80:20
• The toil of it all
6. (Visibly) well maintained
software is more
sustainable software…
requiring less time and
resources to keep up to
date and adapt to the
changing world around us.
33. Review
• An OpenSSF Scorecard can show you care about security.
• Allstar provides a good starting point.
• Pick a first repo to get a hang of what’s needed.
• Then automate across the rest of the organisation.
• 20% of the effort to get 80% of the score.
• Scorecards do create ongoing toil that needs to be
minimised.
34. Call to action: Run the
scorecard CLI against
one of your own repos
https://github.com/ossf/scorecard#
scorecard-command-line-interface
36. DEI: Having your repo
comply with community
guidelines with things like a
code of conduct is an
integral part of the
OpenSSF best practices that
form a part of implementing
scorecards.