November 8-10 | Lake Tahoe, California
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for the Linux Foundation Member Summit 2022 to participate in the sessions.

Please note that the schedule is subject to change.
Back To Schedule
Thursday, November 10 • 10:00am - 10:30am
Do You Know the Health of Your OSS Dependencies? Introducing OSSF Scorecard - Naveen Srinivasan, Endor Labs & Brian Russell, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF Scorecard. Scorecards is an automated tool that assesses several important heuristics ("checks") associated with software security and assigns each check a score of 0-10. These scores help understand specific areas to improve to strengthen the security posture of a dependency. Projects like enoyproxy,tensorflow, and flutter use Scorecard. This talk will introduce Scorecard, a tool that scans many risky patterns in the development life cycle. The scorecard project runs a weekly scan of 1M critical projects, and we will provide some findings about the results. Developers can use these public results to assess the risk associated with dependencies they use, with a real example of projects doing that today. We will demonstrate how a given project can understand the risk by using Scorecard's New REST API for querying the health of the OSS dependency.

avatar for Naveen Srinivasan

Naveen Srinivasan

Software Engineer, Endor Labs
Naveen contributes to fun OSS projects like https://github.com/ossf and other supply chain security projects. http://github.com/naveensrinivasan Naveen was awarded Google Peer Bonus award for 2021 and 2022 for his OSS contributions.
avatar for Brian Russell

Brian Russell

Program Manager, Google
Brian is a Product Manager on Google’s Open Source Security Team. He focuses on software supply chain security and is actively involved in the OpenSSF Scorecards project. In his spare time, Brian enjoys 3D printing and Atari video game programming.

Thursday November 10, 2022 10:00am - 10:30am PST
Grand Sierra Ballroom B