OpenSSF Scorecard 101

Ulises Gascón

Member of the Express Technical Committee (TC), TC39 Delegate, as well as a Node.js core collaborator and releaser

Ulises Gascón

The Open Source Security Foundation (OpenSSF) is a community of software developers, security engineers, and more who are working together to secure open source software for the greater public good.

openSSF Structure

openSSF Structure

WGs, Projects, & SIGs

WGs, Projects, & SIGs

Landscape

Landscape

Resources

OpenSSF Scorecard

Scorecard assesses open source projects for security risks through a series of automated checks

The target

The Scorecard evaluates the security of your project based on automated checks related to four scenarios:

Risk levels

Each automated check returns a score out of 10 and a risk level. The risk level adds a weighting to the score, and this weighting is compiled into a single, aggregate score. This score helps give a sense of the overall security posture of a project.

Risk levels

The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.

There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.

Holistic security practises

Source risk assessment

Build risk assessment

OpenSSF in Node.js

Implementation

The steps

1. Add a GitHub Action to calculate and report the Scoring regularly

2. Make changes to improve the scoring

3. Monitor the changes

Challenges

Our Case

The major challenge was our SCALE and the WAY OF WORKING

  • We have dozens of projects (node, undici, website, etc...)
  • We track the changes once every 2w during our Security Team Meetings
  • We want to spot the differences when the scoring has changed
  • We want an easy way to patch and reduce the Time to remediation (TTR)

Time to Remediation

Secure Repo

OpenSSF Scorecard Monitor

Github Action

Report

Issues

OpenSSF Scorecard Visualizer

Visualize

Compare

Thanks!

Dreams are extremely important. You can't do it unless you imagine it. 

- George Lucas