Open Source Security Foundation (OpenSSF) Scorecards provide a way for open source users to determine whether maintainers are being diligent about securing their link in the software security supply chain. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge. This presentation will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across and organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Chris Swan is an Engineer at Atsign, building the atPlatform, a technology that is putting people in control of their data and removing the frictions and surveillance associated with today’s Internet. He was previously a Fellow at DXC Technology where he held various CTO roles. Before that he held CTO and Director of R&D roles at Cohesive Networks, UBS, Capital SCF and Credit Suisse, where he worked on app servers, compute grids, security, mobile, cloud, networking and containers. Chris co-hosts the Tech Debt Burndown Podcast, is a cloud editor for InfoQ and a Google Developer Expert (GDE) for the Dart programming language.