search

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Other
167 stars 23 forks source link

docs(framework): add assessment question on oss criticality #23

Closed R3DRUN3 closed 1 year ago

R3DRUN3 commented 1 year ago

Added the following question in the How to Assess Where Your Organization is in the Maturity Model? paragraph:

"What tools do you use to evaluate the criticality of an open source project? (e.g. criticality score)"

Rationale: computing the criticality score when evaluating OSS can provide important objective indications on the quality of a project.

R3DRUN3 commented 1 year ago

Nice suggestion, I agree that users of open source components should assess components for suitability prior to their inclusion. However, I'm less sure that criticality score is the right way to do that.

AIUI the criticality score is focused on evaluation a component in the context of the wider industry, in order to make it easier to rationalise which projects the Securing Critical Projects WG should target with resources to help improve their security.

@joshuagl yes, you are right but usually there is also a directly proportional relationship between the increase in the criticality score and the reliability (also from a security perspective) of an open source software. This is why I mentioned that specific tool. I am absolutely open to suggestions in case of better tools that I might not be aware of.

adriandiglio commented 1 year ago

Approved!