Open source security is strengthened with a new dashboard and best practices

Couldn't attend Transform 2022? Check out all the summit sessions in our on-demand library now! Look here.

There is no shortage of challenges when it comes to securing open source software and there is no shortage of ideas on how to mitigate the risks.

It is the stated mission of the OpenSSF (Open Source Security Foundation) to help improve the state of open source security, and that is precisely what it does. The OpenSSF is part of the Linux Foundation and has many ongoing efforts on different aspects of the software development lifecycle.

On September 7, 2022, the organization announced the latest version of its Scorecards effort, an initiative designed to help open source projects and their users identify a project's security status. The updated dashboards come a week after the OpenSSF released new guidelines and best practices on how to secure npm, which is a widely used and often abused open source package management system for JavaScript. p> Simplified access to open source security dashboards

OpenSSF has its roots in an earlier Linux Foundation effort known as the Core Infrastructure Initiative (CII), where the concept of best practice badges for open source projects was introduced in 2015. badge projects have become part of the OpenSSF Dashboards effort in 2020. With Security Dashboards, anyone can run a scan against an open source code repository and automatically identify the status security general. Badges allow an open source project to easily publicly display the results of a dashboard showing the status of best practices.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to advise on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

register here

With the new version of dashboard badges, OpenSSF seeks to facilitate sharing and wider access to dashboard information with a programmatic approach. There is now a REST API that can allow anyone to get a data feed of access to dashboard insights which can then be used for analytics and trending analysis.

"Until now anyone could download the dashboard tool and run it, but now you don't have to run it to get all the information", David Wheeler, director of open source supply chain security at the Linux Foundation, says VentureBeat.

Best practices for npm may be obvious, but still important

Beyond the scorecards, OpenSSF aims to provide very specific guidance to help npm users and developers be more secure.

It is not uncommon to find malware in npm libraries. Among the high-profile security incidents with npm is one in 2021 that the US Cybersecurity and Infrastructure Security Agency warned in an advisory.

Wheeler noted that the best practices guide does not necessarily introduce new open source security concepts; rather, it reinforces well-known ideas and approaches to help mitigate risk, if only users and developers would implement them.

"For the most part, the material in the guide was familiar to many people with a long history of npm," Wheeler said. "But nobody knows everything, and a certain number of people knew something, but that does not mean that knowledge is universal."

One of the best practices identified in the report is to avoid vendor dependencies. Wheeler explained that vendor dependency is a risk that occurs when a software developer creates a local copy of an npm library. The challenge is...