"Boffins Rate npm and PyPI Package Security and It's Not Good"
Computer scientists at North Carolina State University (NCSU) have evaluated software package registries npm and PyPI using Open Source Security Foundation (OpenSSF) Scorecards. In November 2020, the OpenSSF Scorecard project was launched to provide an automated tool for determining whether specific security practices are being followed. Scorecards assign a 0 to 10 rating to 18 different heuristics or checks such as Binary Artifacts, Branch Protection, and Dangerous Workflow. NCSU researchers applied the OpenSSF Scorecard to software packages within npm and PyPI to see what security practices could be identified among developers using those registries. According to Nusrat Zahan, the study's corresponding author, this research reveals a gap in security practices for both ecosystems. Code-Review, Maintained, Binary Artifacts, License, and Branch Protection are practices that evaluate the security posture of a repository. Apart from Binary Artifacts, both ecosystems failed to implement these practices at scale. The researchers' findings, which they plan to update in a revised draft, demonstrate both the value and limitations of automated security testing. The only metric rated "Critical" in terms of importance was the "Dangerous Workflow" check, which both npm and PyPI passed. This check looks for untrusted code checkout and script injection with untrusted context variables in packages' GitHub workflows due to misconfigured GitHub Actions (automation scripts). Over 99 percent of packages passed the check, but the researchers discovered 1,938 npm packages and 508 PyPI packages where Scorecard found vulnerable code patterns. An attacker could exploit a vulnerable package by creating a malicious GitHub issue title that injects code and opens a reverse shell connection. This article continues to discuss findings from the study on using the OpenSSF Scorecard to measure the security posture of npm and PyPI ecosystems.
The Register reports "Boffins Rate npm and PyPI Package Security and It's Not Good"