"Open Source Security Gets a Boost With New Scorecard and Best Practices"

The Open Source Security Foundation's (OpenSSF) mission is to help improve the state of open source security. The OpenSSF, which is a part of the Linux Foundation, is engaged in multiple ongoing projects that span various phases of the software development lifecycle. On September 7, 2022, the organization announced the latest iteration of its scorecards initiative intended to assist open source projects and their users in determining the state of security within a project. The updated scorecards come after the OpenSSF issued new guidance and best practices for securing npm, an open source package management system for JavaScript that is widely used and frequently abused. The OpenSSF originates from the Linux Foundation's predecessor effort known as the Core Infrastructure Initiative (CII), which introduced the concept of best practices badges for open source projects in 2015. In 2020, the badge projects became part of the OpenSSF scorecards effort. Anyone can use the security scorecards to run a scan against an open source code repository and automatically determine the overall state of security. Badges allow an open source project to easily publicize scorecard results that show the current state of best practices. The OpenSSF hopes the new version of scorecard badges will make it easier to share and more broadly access scorecard information through a programmatic approach. There is now a REST API available to allow anyone to obtain a data stream of access to scorecard information, which can then be used for analytics and trend analysis. This article continues to discuss the new iteration of OpenSSF's scorecards effort.

VB reports "Open Source Security Gets a Boost With New Scorecard and Best Practices"