Some naive people may still think they're not using open-source software. They're wrong. Everyone does. According to the Synopsys Cybersecurity Research Center[1] (CyRC) 2021 "Open Source Security and Risk Analysis" (OSSRA) report[2], 95% of all commercial programs contain open-source software. By CyRC's count, the vast majority of that code contains outdated or insecure code. But how can you tell which libraries and other components are safe without doing a deep code dive? Google[3] and the Open Source Security Foundation (OSSF)[4] have a quick and easy answer: The OpenSSF Security Scorecards[5].
These Scorecards are based on a set of automated pass/fail checks to provide a quick review of many open-source software projects. The Scorecards project[6] is an automated security tool that produces a "risk score" for open-source programs.
That's important because only some organizations have systems and processes in place to check new open-source dependencies for security problems. Even at Google, though, with all its resources, this process is often tedious, manual, and error-prone. Worse still, many of these projects and developers are resource-constrained. The result? Security often ends up a low priority[7] on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits.
The Scorecards project hopes to make security checks easier to make security easier to achieve with the release of Scorecards v2[8]. This includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.
For developers, Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project's supply chain. Consumers can automatically access the risks to make