Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group
The OpenSSF would like to announce the initial release of the Security Metrics initiative. The primary objective of this initiative is to provide valuable decisive information about threats and risks associated with open source projects. Security Metrics comes with a cognitive dashboard for stakeholders to make reliable informed decisions regarding using/accommodating such projects in their software supply chain.
How Does It Work?
Security Metrics does crucial security oriented data collection from informed sources such as:
- Scorecard – measures the security posture of open source projects
- Criticality Score – determines the influence and importance of open source projects
- Best Practices Badge – communicates how well security best practices are followed
- Security Reviews – displays security assessments performed by researchers
Here is an example of the information shown after a search for the Kubernetes project. While no single metric can fully describe the security risks of using a piece of software, we believe that having multiple metrics accessible from a central location can be helpful in making informed decisions.
Dashboard generated for the Kubernetes project
Where Are We Now?
Our initial “early alpha” release includes data collected on over 100,000 projects, accessible through a dashboard as well as a simple API. Over the next few months, we plan to release additional features (such as new metrics and richer API access), increase the number of projects covered, and improve the overall user experience.
You can access the Security Metrics at https://metrics.openssf.org. Your feedback is most welcome, and if you’re interested in learning more or joining this effort, please reach out to Michael Scovetta or join us at our next working group meeting.