PREPRINT: Do OpenSSF Scorecard Practices Contribute to Fewer Vulnerabilities?

10/20/2022
by   Nusrat Zahan, et al.
0

Due to the ever-increasing security breaches, practitioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO) 14028 that mandates organizations provide self-attestation of the use of secure software development practices. The OpenSSF Scorecard project allows practitioners to measure the use of software security practices automatically. However, little research has been done to determine whether the use of security practices improves package security, particularly which security practices have the biggest impact on security outcomes. The goal of this study is to assist practitioners and researchers making informed decisions on which security practices to adopt through the development of models between software security practice scores and security vulnerability counts. To that end, we developed five supervised machine learning models for npm and PyPI packages using the OpenSSF Scorecared security practices scores and aggregate security scores as predictors and the number of externally-reported vulnerabilities as a target variable. Our models found four security practices (Maintained, Code Review, Branch Protection, and Security Policy) were the most important practices influencing vulnerability count. However, we had low R^2 (ranging from 9 counts. Additionally, we observed that the number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased. Both findings indicate that additional factors may influence the package vulnerability count. We suggest that vulnerability count and security score data be refined such that these measures may be used to provide actionable guidance on security practices.

READ FULL TEXT

page 1

page 7

research
06/27/2020

XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices

Kubernetes is an open-source software for automating management of compu...
research
05/28/2020

The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL

Context: The Heartbleed vulnerability brought OpenSSL to international a...
research
03/22/2023

Insecure by Design in the Backbone of Critical Infrastructure

We inspected 45 actively deployed Operational Technology (OT) product fa...
research
10/29/2020

Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities

Context: Security is vital to software developed for commercial or perso...
research
03/07/2018

Gerrymandering and Compactness: Implementation Flexibility and Abuse

The shape of an electoral district may suggest whether it was drawn with...
research
10/27/2020

An Analysis of Security Vulnerabilities in Container Images for Scientific Data Analysis

Software containers greatly facilitate the deployment and reproducibilit...
research
08/26/2022

Factors Influencing the Organizational Decision to Outsource IT Security: A Review and Research Agenda

IT security outsourcing is the process of contracting a third-party secu...

Please sign up or login with your details

Forgot password? Click here to reset