• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Open source security gets a boost with new scorecard and best practices
Security

Open source security gets a boost with new scorecard and best practices

September 8, 2022No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Open source security gets a boost with new scorecard and best practices
Share
Facebook Twitter LinkedIn Pinterest Email

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


There is no shortage of challenges when it comes to securing open source software and no shortage of ideas for how to mitigate risks.

It is the stated mission of the OpenSSF (Open Source Security Foundation) to help improve the state of open source security, and that is precisely what it is doing. The OpenSSF is part of the Linux Foundation and has multiple ongoing efforts across different aspects of the software development lifecycle.

On September 7, 2022 the organization announced the latest iteration of its Scorecards effort, an initiative designed to help open source projects and their users identify the state of security within a project. The updated scorecards come a week after the OpenSSF issued new guidance and best practices on how to secure npm, which is a widely used, and often abused, open source package management system for JavaScript.

Easier access for open source security scorecards

The OpenSSF has its roots in a predecessor effort from the Linux Foundation, known as the Core Infrastructure Initiative (CII), which is where the concept of best practices badges for open source projects was introduced in 2015. The badge projects became part of the OpenSSF’s Scorecards effort in 2020. With security scorecards, anyone can run a scan against an open source code repository and automatically identify the general state of security. Badges enable an open source project to easily publicly display scorecard results showing the state of best practices.

See also  CrowdStrike introduces a brand new cloud risk searching service 

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

With the new version of scorecard badges, the OpenSSF is looking to make it easier to share and more broadly access scorecard information with a programmatic approach. There is now a REST API that can enable anyone to get a data stream of access to the scorecard information that can then be used for analytics and trend analysis.

“Up until now, anybody could download the scorecard tool and run it, but now they don’t have to run it to get all the information,” David Wheeler, director of open source supply chain security at the Linux Foundation, told VentureBeat.

Best practices for npm might be obvious, but still important

Looking beyond scorecards, the OpenSSF has taken aim at providing very specific guidance to help npm users and developers be more secure.

Finding malware in npm libraries is not uncommon. Among the high-profile security incidents with npm was one in 2021 that the U.S Cybersecurity and Infrastructure Security Agency warned about in an advisory.

Wheeler noted that the best practices guide doesn’t necessarily introduce any new concepts to open source security; rather, it reinforces ideas and approaches that are well known to help mitigate risk — if only users and developers would implement them.

“For the most part the things in the guide were known by many people that have been involved with npm for a long time,” Wheeler said. “But no one knows everything, and a number of folks knew something, but that doesn’t mean the knowledge is universal.”

See also  Axio's solution for quantifying cyber risk raises $22.5 million

One of the best practices identified in the report is to avoid vendor dependencies. Wheeler explained that a vendor dependency is a risk that occurs when a software developer makes a local copy of an npm library. The challenge is that the local copy isn’t by default being updated when the original vendor or developer of the software makes a change, which could well be to patch a software flaw or vulnerability.

Wheeler emphasized that vendor dependency risk is not unique to npm, but rather a broader issue across open source software usage. He explained that historically it wasn’t easy for developers to access the original, upstream software code and that’s why it became a common practice to make a local copy. With modern code repositories, such as GitHub, Wheeler said that’s no longer the case and developers no longer need to make local copies that are completely disconnected from the main codebase.

Another best practice for npm that the OpenSSF guide advocates is to embrace the concept of least privilege. The idea behind least privilege is to provide only the minimum required amount of access to an application in order to minimize the potential attack surface. That also involves not including unnecessary access credentials and permissions in code or an npm component.

While the best practices guide for npm is the first such guide from OpenSSF, Wheeler expects that more guides for other critical open source projects will emerge in the future.

“Npm is widely used and as soon as you get on the web you often end up using the npm ecosystem to some extent, even if the code in backend is in Python, Ruby or a different language,” Wheeler said. “I think it was important that we prioritize npm, but this is not the last guide and we’re very much interested in having guidance for other situations.”

See also  Skull and Bones wants to be the "best open world pirate experience" out there – can it topple Sea of Thieves?

Source link

Boost open practices scorecard security source
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Bitdefender Total Security review

March 6, 2024

Avast Premium Security review

March 6, 2024

Bose Ultra Open Earbuds review

February 16, 2024

Eset Home Security Ultimate review

January 23, 2024
Add A Comment

Comments are closed.

Editors Picks

Sony targets esports crowd, goals to develop into the “Nike of gaming gear”

July 13, 2022

Skullgirls 2nd Encore adds DLC character Marie

August 6, 2022

The 4-day work week is good for business, according to these Seattle startups – Startup

December 31, 2022

Twitter is struggling with India’s tightening rules for online speech

July 5, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.