Google wants to help the programming community work more confidently with open source software.
The search-cloud-platform tech giant has developed a new scorecard system intended to allow software application development professionals to assess the risks associated with any piece of open source software.
Specifically, Google’s tool assesses the risks relating to the dependencies of any given piece of open software.
The score system is known, logically enough, as Scorecards – and it is a project in its own right under the Open Source Security Foundation (OpenSSF).
According to the Google open source blog, Scorecards auto-generates a ‘security score’ for open source projects to help users as they decide the trust, risk, and security posture for their use case.
Scorecards defines an initial evaluation criteria that will be used to generate a scorecard for an open source project in an automated way and every scorecard check is actionable.
It will still (obviously) be up to the individual developer to decide whether or not to use a particular chunk of code, or, alternatively, to push it forward for additional evaluation.
At this early stage of the project, Scorecards is restricted to working with GitHub software repositories… but the project aims to expand over time.
According to Kim Lewandowski, Dan Lorenc and Abhishek Arya on the Google Security team, “Some of the evaluation metrics used include a well-defined security policy, code review process, and continuous test coverage with fuzzing and static code analysis tools. A boolean is returned as well as a confidence score for each security check. Over time, Google will be improving upon these metrics with community contributions through the OpenSSF.”
The Security Scorecards project is on GitHub.