By Jamie Thomas, General Manager, Strategy & Development, Infrastructure & IBM Enterprise Security Executive and Chair of the OpenSSF Governing Board
For over two decades open-source software has been transforming the IT industry and enterprise software development. Most recently, the growth of open-source use has increased exponentially. According to a recent study by The Linux Foundation, “it has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.” As development speed increases, we need to make sure that all the components of the software are safe to use. Determining the trustworthiness of the dependencies and tools used within a project is the area commonly referred to as Software Supply Chain Security.
Just like shoppers of packaged food in a grocery store like to have a list of ingredients and know where these ingredients were sourced, it is becoming increasingly important for both the consumers and maintainers of free and open source software to proactively monitor the “health” of the components that they depend upon. This is where the Scorecard Project fits in.
The Scorecard Project
As supply chain security for software becomes increasingly important, we want to be able to scan open-source packages in a transparent, standardized way. The Scorecard Project was created for this purpose. Initially developed by Google and donated to the Open Source Security Foundation (OpenSSF), this tool assesses various security checks and scores each check from 1-10. These scans provide actionable insight for multiple use cases, for supply chains for open source software (OSS), and for open source project developers.
Scorecard at IBM
Scorecard is becoming a key part of IBM’s review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues in modern SW supply chains and believes an important part of this effort is to help the open-source ecosystem improve the overall security of OS projects. Being a top-tier member of the Open Source Security Foundation, contributing tools to the OWASP community, and collaborating on the Scorecard Project are three recent proof points of this commitment. You can read more about IBM’s point of view regarding supply chain security and open source by checking out our IBM Policy Lab website.
IBM is not only a user of Scorecard, but a contributor as well. It was a great experience for our teams to collaborate with the OpenSSF community and share ideas the IBM team had. It’s reassuring to know that with any issues that we may encounter there’s an active community to help us share, innovate, and improve the project.
Open-Source Security for All
IBM joined the OpenSSF initiative because it is a cross-industry organization that brings together some of the industry’s most important open source security initiatives and the individuals and companies that support them. We remain committed to collaboration with communities and stakeholders to advance open-source security for all.