Securing open-source code supply chains may help prevent the next big cyberattack

2021-11-24 07:00

The software industry does not currently track the source of all code, nor does it grade the level of security standards applied in these international code factories.

Establish a grading scale to rate each piece of code to more effectively determine the risk a company is inheriting from the code.

Known as repo scoring, Google ranked more than 200,000 open source code repositories one to 10 using the Google Scorecard program to determine the security hygiene of these "Code factories".

Developers want to innovate, build, and push code while the security team wants to ensure that code is secure.

As a collective software industry, we need to ask ourselves how we can create and document standards for code repositories and make them publicly accessible, so the risk of the code is clear for any company that wants to use it.

These frameworks are a necessity as Google's Scorecard program does not cover the entire open-source code universe, not to mention closed repositories used by vendors to develop their own code.

News URL

https://www.helpnetsecurity.com/2021/11/24/securing-open-source-code-supply-chains/

#cyberattack #opensource #sourcecode #supplychain