Niels Tanis

Reviewing 3rd party library security easily using OpenSSF Scorecard

Are your dependencies a security risk? Get an instant security score for any open-source library using OpenSSF Scorecard.

Reviewing 3rd party library security easily using OpenSSF Scorecard
#1about 4 minutes

Understanding the inherent risks of third-party dependencies

The vast majority of an application's code comes from third-party libraries, creating significant risk as shown by the Log4j vulnerability.

#2about 2 minutes

How malicious actors infiltrate open source projects

Malicious actors can introduce backdoors into trusted projects over long periods, as demonstrated by the XZ Utils supply chain attack.

#3about 2 minutes

Detecting known vulnerabilities and hidden package dependencies

Tooling can help identify publicly disclosed vulnerabilities, but risks remain from unmanaged or hidden dependencies bundled within packages.

#4about 2 minutes

Introducing OpenSSF Scorecard as a software nutrition label

OpenSSF Scorecard provides a "nutrition label" for open source projects by running automated checks to assess their security posture.

#5about 3 minutes

Breaking down key security checks in Scorecard

Scorecard evaluates projects based on the presence of known vulnerabilities, automated dependency updates, security policies, and the use of testing like fuzzing and SAST.

#6about 3 minutes

Evaluating project health and build process integrity

Scorecard assesses repository health through checks for branch protection, code reviews, contributor diversity, pinned dependencies, and signed releases.

#7about 2 minutes

Applying Scorecard to analyze a real-world package

A practical demonstration shows how to run Scorecard against a popular library like Newtonsoft.Json and use its API to analyze transitive dependencies.

#8about 3 minutes

Correlating Scorecard results with real-world security data

Research shows a strong correlation between higher OpenSSF Scorecard scores and better security outcomes, such as fewer vulnerabilities and more active maintenance.

#9about 3 minutes

Exploring the future of automated security analysis

Future improvements in security tooling should focus on deeper analysis like coverage-based fuzzing, data-flow SAST, build reproducibility, and community-based auditing.

#10about 1 minute

Final takeaways on integrating Scorecard into your workflow

Scorecard is a valuable tool for assessing project health but should be used as part of a broader security strategy, not as an end goal.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Balancing business, technology, and people for holistic success
06:51 MIN

Balancing business, technology, and people for holistic success

The Future of HR Lies in AND – Not in OR

The importance of a fighting spirit to avoid complacency
06:04 MIN

The importance of a fighting spirit to avoid complacency

The Future of HR Lies in AND – Not in OR

Understanding global differences in work culture and motivation
06:10 MIN

Understanding global differences in work culture and motivation

The Future of HR Lies in AND – Not in OR

Shifting from talent acquisition to talent architecture
03:28 MIN

Shifting from talent acquisition to talent architecture

The Future of HR Lies in AND – Not in OR

How the HR function has evolved over three decades
05:10 MIN

How the HR function has evolved over three decades

The Future of HR Lies in AND – Not in OR

Navigating ambiguity as a core HR competency
04:22 MIN

Navigating ambiguity as a core HR competency

The Future of HR Lies in AND – Not in OR

Moving from 'or' to 'and' thinking in HR strategy
06:59 MIN

Moving from 'or' to 'and' thinking in HR strategy

The Future of HR Lies in AND – Not in OR

How AI can create more human moments in HR
03:13 MIN

How AI can create more human moments in HR

The Future of HR Lies in AND – Not in OR

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Simple Steps to Kill DevSec without Giving Up on Security21:53

Simple Steps to Kill DevSec without Giving Up on Security

Isaac Evans

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Get security done: streamlining application security with Aikido08:27

Get security done: streamlining application security with Aikido

Mia Neethling

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.