Security of Open Source Software
Vedant Vyawahare
Objective: When we think about using an open-source tool, we want to be sure it’s safe and works well with our company’s tech. We usually find some basic info on the tool’s website and documentation, but we need to dig deeper to see how secure it really is.
Outcome: We carefully assess these security aspects of the tool and give it a score that shows how safe it is overall. The key factors under assessment include:
- Binary Artifacts: Stored compiled code or files.
- Branch Protection: Limits changes to essential branches.
- Dangerous Workflow: Risky automation process.
- CI Tests: Continuous Integration tests.
- Fuzzing: Test inputs for vulnerabilities.
- Licenses: Legal terms for code usage.
- Security Policy: Rules for safe development.
- Pinned Dependencies: Fixed software versions.
Security Score in the Scoutflo Health Score rates the security of our open-source tool. A higher score means better resilience against external threats and vulnerabilities. We use OpenSSF to fetch this data and calculate the score.
What are your thoughts on security vulnerabilities? Is there anything in particular we should focus on?
Nathan Tarbert
Another factor would be how robust is their SECURITY.md and are they scanning for vulnerabilities in their pipeline.
Nathan Tarbert
When evaluating a package for inclusion in my project, I routinely consult Snyk Advisor (https://snyk.io/advisor/). This platform features multiple tabs providing comprehensive insights into factors such as health and security. The provision of an overarching score rating contributes significantly to bolstering confidence, making it very similar to an online version of OpenSSF but would be easy for more non-technical folks to use.
S
Sama Carlos Samame
SBOMs would be relevant here
kishore rajendra
Process to identify if any new zero-day vulnerabilites are found, how quickly they are patched.
Regular audits / some kind of report after lets say vulnerability test or similar would give confidence to use an open-source tool for a commercial / prod use.