Closed R3DRUN3 closed 1 year ago
Nice suggestion, I agree that users of open source components should assess components for suitability prior to their inclusion. However, I'm less sure that criticality score is the right way to do that.
AIUI the criticality score is focused on evaluation a component in the context of the wider industry, in order to make it easier to rationalise which projects the Securing Critical Projects WG should target with resources to help improve their security.
@joshuagl yes, you are right but usually there is also a directly proportional relationship between the increase in the criticality score and the reliability (also from a security perspective) of an open source software. This is why I mentioned that specific tool. I am absolutely open to suggestions in case of better tools that I might not be aware of.
Approved!
Added the following question in the How to Assess Where Your Organization is in the Maturity Model? paragraph:
"What tools do you use to evaluate the criticality of an open source project? (e.g. criticality score)"
Rationale
: computing the criticality score when evaluating OSS can provide important objective indications on the quality of a project.