While it's true that proprietary software can earn a lot of money, it's a pain to maintain. And open-source is one of the answers.
Some developers may think that open-source is not the very best of solutions. But this is where most people get it wrong. Nothing can compare to the speed open-source software is advancing. And this is why most commercial software, even proprietary ones, have parts that are taken from open-source projects.
While open-source projects have lots of advantages, but no matter how polarized some software developers are in promoting open-source projects, the open-source approach do have a number of disadvantages.
Besides issues, like the the lack of guarantee that patches will work, and that support may not be available, open-source projects tend to have outdated or insecure codes.
This can be huge problem, considering that an increasing number of software uses open-source codes.
While seasoned and knowledgeable developers can try to pinpoint the issue and solve it themselves, most developers will have a hard time.
Digging into the libraries and the components can be a real pain, especially if it requires deep code dive.
Here, Google offers a solution.
Google calls it the 'Scorecards'.
What it does, is create a score based on a set of automated pass/fail checks. With it, developers can quickly review many open-source software projects, without having to endure the pain of digging through the codes.
To make this happen, Scorecards automates a security tool that produces a "risk score" for open-source programs.
This kind of approach can certainly be useful.
A number of companies and lots of developers use systems to check for new open-source dependencies, and scan them for security problems. Google, even with all its capacity and resources, also do this, and consider the work tedious, manual and error-prone.
But with Scorecards, Google is making things easier.
In turn, this should lead to better security practices among developers, which should lead to better developments of critical projects.
And with version 2.0 of the project, Scorecards hopes to make security checks even easier to achieve.
On top of what Scorecards 1.x, version 2.0 introduces:
- Identifying Risks: Google has added several more checks.
- ISpotting malicious contributors: Contributors with malicious intent or compromised accounts can introduce potential backdoors into code, and with version 2.0, Scorecards can block them.
- IVulnerable Code: This allows checks to see if a project uses fuzzing and SAST tools as part of its continuous integration/continuous deployment (CI/CD) pipeline.
- IBuild system compromise: A common CI/CD solution used by GitHub projects is GitHub Actions. With Scorecard's Token-Permissions prevention, Scorecards can verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.
- IBad dependencies: Allows developers to assess the risks to their programs, to then mitigate those risks.