DeepAI AI Chat
Log In Sign Up

PREPRINT: Do OpenSSF Scorecard Practices Contribute to Fewer Vulnerabilities?

by   Nusrat Zahan, et al.

Due to the ever-increasing security breaches, practitioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO) 14028 that mandates organizations provide self-attestation of the use of secure software development practices. The OpenSSF Scorecard project allows practitioners to measure the use of software security practices automatically. However, little research has been done to determine whether the use of security practices improves package security, particularly which security practices have the biggest impact on security outcomes. The goal of this study is to assist practitioners and researchers making informed decisions on which security practices to adopt through the development of models between software security practice scores and security vulnerability counts. To that end, we developed five supervised machine learning models for npm and PyPI packages using the OpenSSF Scorecared security practices scores and aggregate security scores as predictors and the number of externally-reported vulnerabilities as a target variable. Our models found four security practices (Maintained, Code Review, Branch Protection, and Security Policy) were the most important practices influencing vulnerability count. However, we had low R^2 (ranging from 9 counts. Additionally, we observed that the number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased. Both findings indicate that additional factors may influence the package vulnerability count. We suggest that vulnerability count and security score data be refined such that these measures may be used to provide actionable guidance on security practices.


page 1

page 7


The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL

Context: The Heartbleed vulnerability brought OpenSSL to international a...

Insecure by Design in the Backbone of Critical Infrastructure

We inspected 45 actively deployed Operational Technology (OT) product fa...

Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities

Context: Security is vital to software developed for commercial or perso...

Gerrymandering and Compactness: Implementation Flexibility and Abuse

The shape of an electoral district may suggest whether it was drawn with...

An Analysis of Security Vulnerabilities in Container Images for Scientific Data Analysis

Software containers greatly facilitate the deployment and reproducibilit...

Factors Influencing the Organizational Decision to Outsource IT Security: A Review and Research Agenda

IT security outsourcing is the process of contracting a third-party secu...