Intro

The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

FOSS or OSS is software which source code anyone can inspect, modify, and enhance

Text

What is Open Source Software?

Authors make its source code available to others who would like to view that code, copy it, learn from it, alter it, share it, and use it

As a user, you also need to comply with a License

Text

What is Open Source Software?

Currently, between the

70-90% of any piece of modern software is FOSS

OpenSSF Projects 💪

Scorecard

The goal is to auto-generate a Security Score for open source projects to help users to decide the trust, risk, and security posture for their use case.

The Scorecard

The Scoredcard database is fulfilled in 2 ways:

Proactively, the projects report to the scorecard the latest changes in the score (via GitHub actions, or CLI commands) in each commit or release
The OpenSSF proactively runs a cron job towards highly use/very relevant open source projects, to retrieve all security related scores

Data origin 🔩

The Scorecard evaluates the security of your project based on automated checks related to four scenarios:

The Target

Alongside the scores, the tool provides remediation prompts to help you fix problems and strengthen your development practices.

The Scoring

The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.

There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.