June 21-24, 2022
Austin, Texas, USA + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central Daylight Time (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, June 21 • 12:00pm - 12:40pm
Assessing the Risk of Open-source Components Using OpenSSF's Scorecard - Laurent Simon, Google & Naveen Srinivasan, Endor Labs

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Open source demand continues to explode. Developers worldwide will request open-source packages, representing a 73% YoY growth in developer downloads of open source components. Yet, even though projects have their code open-source, the processes used to run, test, and maintain these are less known. For example, do you know if the log4j project has code reviews to reduce the likelihood of dangerous code being introduced in the codebase? How about the npm-color project? This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about their use and maintenance of open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of a project or a dependency. Since it's v4 release in January 2022, Scorecards has been installed on over 800 GitHub repositories as of March 2022, and is recommended by the GitHub documentation to harden workflows.

avatar for Naveen Srinivasan

Naveen Srinivasan

OSS Contributor, OSS Contributor
Naveen Srinivasan is a software engineer at [Endor Labs](https://www.endorlabs.com). He has been making consistent contributions to the open-source community for many years. He has not missed a single day contributing for the past two years. He is a contributor and maintainer of... Read More →
avatar for Laurent Simon

Laurent Simon

Security Engineer, Google
Laurent is a security engineer in the Open Source Security Team (GOSST) at Google. His team works in collaboration with the open-source community and the OpenSSF on novel security solutions, such as Scorecards, Allstar, Sigstore, SLSA, OSS-Fuzz, OSV, etc.

Tuesday June 21, 2022 12:00pm - 12:40pm CDT
Room 203/204 (Level 2)