The vast majority of an application's code comes from third-party libraries, creating significant risk as shown by the Log4j vulnerability.
Malicious actors can introduce backdoors into trusted projects over long periods, as demonstrated by the XZ Utils supply chain attack.
Tooling can help identify publicly disclosed vulnerabilities, but risks remain from unmanaged or hidden dependencies bundled within packages.
OpenSSF Scorecard provides a "nutrition label" for open source projects by running automated checks to assess their security posture.
Scorecard evaluates projects based on the presence of known vulnerabilities, automated dependency updates, security policies, and the use of testing like fuzzing and SAST.
Scorecard assesses repository health through checks for branch protection, code reviews, contributor diversity, pinned dependencies, and signed releases.
A practical demonstration shows how to run Scorecard against a popular library like Newtonsoft.Json and use its API to analyze transitive dependencies.
Research shows a strong correlation between higher OpenSSF Scorecard scores and better security outcomes, such as fewer vulnerabilities and more active maintenance.
Future improvements in security tooling should focus on deeper analysis like coverage-based fuzzing, data-flow SAST, build reproducibility, and community-based auditing.
Scorecard is a valuable tool for assessing project health but should be used as part of a broader security strategy, not as an end goal.
28:27Niels Tanis
29:50Kevin Lewis
32:55Natale Vinto
25:28Joseph Katsioloudes
21:53Isaac Evans
26:59Jakub Andrzejewski
29:47Thomas Chauchefoin & Paul Gerste
24:47Adrian Mouat
.png?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
NTT DATA Deutschland GmbH
NTT DATA Deutschland GmbH
Fraunhofer-Gesellschaft
Cypress Semiconductor Corporation
Kanton Zürich