Open source security gets a boost with new scorecard and best practices

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

There is no shortage of challenges when it comes to securing open source software and no shortage of ideas for how to mitigate risks.

It is the stated mission of the OpenSSF (Open Source Security Foundation) to help improve the state of open source security, and that is precisely what it is doing. The OpenSSF is part of the Linux Foundation and has multiple ongoing efforts across different aspects of the software development lifecycle.

On September 7, 2022 the organization announced the latest iteration of its Scorecards effort, an initiative designed to help open source projects and their users identify the state of security within a project. The updated scorecards come a week after the OpenSSF issued new guidance and best practices on how to secure npm, which is a widely used, and often abused, open source package management system for JavaScript.

Easier access for open source security scorecards

The OpenSSF has its roots in a predecessor effort from the Linux Foundation, known as the Core Infrastructure Initiative (CII), which is where the concept of best practices badges for open source projects was introduced in 2015. The badge projects became part of the OpenSSF’s Scorecards effort in 2020. With security scorecards, anyone can run a scan against an open source code repository and automatically identify the general state of security. Badges enable an open source project to easily publicly display scorecard results showing the state of best practices.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

With the new version of scorecard badges, the OpenSSF is looking to make it easier to share and more broadly access scorecard information with a programmatic approach. There is now a REST API that can enable anyone to get a data stream of access to the scorecard information that can then be used for analytics and trend analysis.

“Up until now, anybody could download the scorecard tool and run it, but now they don’t have to run it to get all the information,” David Wheeler, director of open source supply chain security at the Linux Foundation, told VentureBeat.

Best practices for npm might be obvious, but still important

Looking beyond scorecards, the OpenSSF has taken aim at providing very specific guidance to help npm users and developers be more secure.

Finding malware in npm libraries is not uncommon. Among the high-profile security incidents with npm was one in 2021 that the U.S Cybersecurity and Infrastructure Security Agency warned about in an advisory.

Wheeler noted that the best practices guide doesn’t necessarily introduce any new concepts to open source security; rather, it reinforces ideas and approaches that are well known to help mitigate risk — if only users and developers would implement them.

“For the most part the things in the guide were known by many people that have been involved with npm for a long time,” Wheeler said. “But no one knows everything, and a number of folks knew something, but that doesn’t mean the knowledge is universal.”

One of the best practices identified in the report is to avoid vendor dependencies. Wheeler explained that a vendor dependency is a risk that occurs when a software developer makes a local copy of an npm library. The challenge is that the local copy isn’t by default being updated when the original vendor or developer of the software makes a change, which could well be to patch a software flaw or vulnerability.

Wheeler emphasized that vendor dependency risk is not unique to npm, but rather a broader issue across open source software usage. He explained that historically it wasn’t easy for developers to access the original, upstream software code and that’s why it became a common practice to make a local copy. With modern code repositories, such as GitHub, Wheeler said that’s no longer the case and developers no longer need to make local copies that are completely disconnected from the main codebase.

Another best practice for npm that the OpenSSF guide advocates is to embrace the concept of least privilege. The idea behind least privilege is to provide only the minimum required amount of access to an application in order to minimize the potential attack surface. That also involves not including unnecessary access credentials and permissions in code or an npm component.

While the best practices guide for npm is the first such guide from OpenSSF, Wheeler expects that more guides for other critical open source projects will emerge in the future.

“Npm is widely used and as soon as you get on the web you often end up using the npm ecosystem to some extent, even if the code in backend is in Python, Ruby or a different language,” Wheeler said. “I think it was important that we prioritize npm, but this is not the last guide and we’re very much interested in having guidance for other situations.”

Originally appeared on: TheSpuzz