Original Post: Quantifying the Probability of Flaws in Open Source
Jay Jacobs and a colleague delivered an RSA presentation on “Quantifying the Probability of Flaws in Open Source.” The presentation focused on identifying red flags in open-source libraries, considering developers rarely update third-party libraries. They leveraged multiple datasets, including Veracode’s State of Software Security report, GitHub metadata, and OpenSSF’s weekly scans of open-source projects. They used OpenSSF scorecards to assess the security posture of projects, but noted that many libraries used in real-world applications lack an OpenSSF score. Despite some limitations and biases in the OpenSSF scoring system, their analysis identified several factors correlated with vulnerabilities. Key findings include a lack of dependency update tools correlating with more vulnerabilities, and mature security practices correlated with known vulnerabilities. The OpenSSF scorecard shows promise but should be used cautiously, with attention to individual checks rather than overall scores. They advise against using the BigQuery public dataset for OpenSSF as it has significant data gaps.
Go here to read the Original Post