The issue of vulnerabilities in open-source components within software supply chains is increasingly attracting attention. For cybersecurity professionals, open source is often the supply chain segment where confidence in security measures is at its lowest.

To make open-source better, there is a need for collaboration between the three primary stakeholders the private sector, the public sector and the community, according to Omkhar Arasaratnam (pictured), general manager of the Open Source Security Foundation at the Linux Foundation.

“How do we help the community who may not be a security expert but really want to make sure that your code is secure or the providence is good?” he asked. “Those are our stakeholders. By engaging with those … stakeholders, we believe we can help improve the security of open-source software.”

Arasaratnam spoke with theCUBE’s Rob Strechay and Dustin Kirkland at KubeCon + CloudNativeCon Europe, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the security of open-source software, specifically focusing on the strategies and initiatives of OpenSSF, including the engagement of various stakeholders. (* Disclosure below.)

Open-source security initiatives: The role of stakeholder collaboration and tools

One of OpenSSF’s strategies for fortifying open-source security is a key initiative in the upcoming Open Source Summit North America, featuring various workshops aimed at empowering maintainers and contributors to achieve higher security standards, Arasaratnam explained.

A crucial tool for assessing the security posture of open-source projects, OpenSSF Scorecard represents a report card that you can run against the open-source dependencies. This tool allows both consumers and maintainers of open-source software to make informed decisions based on a project’s security properties, promoting a more secure open-source ecosystem, Arasaratnam added.

“Scorecard … is literally a report card that you can run against the open-source dependencies that you have in your project,” he said. “It will take a set of known to be good security properties and test the repo either in GitHub or GitLab to validate that they’re present. It could be things like branch protection, two-factor authentications … it checks all these security properties and pops out a score for you.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of KubeCon + CloudNativeCon Europe:

(* Disclosure: TheCUBE is a paid media partner for the KubeCon + CloudNativeCon Europe event. No sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE