By Ryan Ware, Intel
While people think of Intel as a hardware company, it has a surprisingly vast portfolio of software that it depends upon on a daily basis, be it software in its products, Intel-governed open source projects or simply open source projects that Intel contributes to. Additionally, the complexity of software these days makes it ever more difficult to ensure risk from the dependencies of all this software are understood by those that depend upon it. To that end, Intel has started using OpenSSF Scorecard to better understand the risk of the software it is using. I will take you through how Intel is utilizing OpenSSF Scorecard across our portfolio (both internally and externally facing) to better understand the risk to development teams and educate them on risks they are facing. Not only will I discuss the benefits OpenSSF Scorecard have brought, but also walk through the difficulties we encountered and share our learnings.
What is Scorecard and How We Use It
Scorecard is an automated tool from the OpenSSF that assesses 19 different vectors with heuristics (“checks”) associated with important software security aspects and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. This is great for an understanding of the security of your own software, but if you run it against your dependencies, it also gives you the risks those dependencies introduce. This allows you to make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
Intel currently uses Scorecard to validate the security of our own externally facing open source repositories. We feel it’s critical to ensure the software that we make available through our repositories is as secure as we can make it. It’s given us the opportunity to make some significant improvements. In the future, we will be putting processes in place to make sure that our Continuous Integration (CI) system is automatically grabbing Scorecard records for the open source projects we depend upon to help us understand the risk inherent in those projects.
Applying OpenSSF Scorecard at Intel
Scorecard is a useful tool that helps us to understand the ecosystem, unveil vulnerabilities, and sometimes uncover surprising results.
- Understanding the Ecosystem: Comprehending the vast GitHub landscape at Intel is a challenge. It’s not just about the number of repositories but also the organizational structures and variations in code practices. We currently have 95 different Intel owned GitHub organizations and thousands of repositories spread across those GitHub orgs, though the majority of active, open source repos are in the main github.com/intel org.
- Unveiling Vulnerabilities: There was a pivotal realization during Intel’s journey with OpenSSF Scorecard – the tool not only helped identify critical vulnerabilities but also played a role in validating security issues raised by external researchers. This underscores the practical value of using the Scorecard beyond internal assessments.
- Revealing Surprising Results: We had a few unexpected outcomes, such as low scores in fundamental areas like the presence of license and security.md files in repositories. This led to introspection about Intel’s processes and a commitment to improvement which is already showing improvement in our Scorecard measurements.
Challenges in Applying OpenSSF Scorecard at Intel: Challenges & Opportunities
Given the massive scale of Intel’s open-source ecosystem, it’s not as straightforward as running OpenSSF Scorecard on a repository, it can be a lot more challenging than expected. Intel’s challenge was not just about the quantity but also understanding the diversity and uniqueness of each repository, across our many GitHub organizations.
Intel faced challenges in incorporating OpenSSF Scorecard into our ecosystem, including API limitations and potential considerations for rolling out our own infrastructure versus relying on the existing community-based infrastructure.
Intel is advocating for incorporating additional checks into OpenSSF Scorecard, moving beyond the current metrics. We suggest evaluating metrics like mean time to fix vulnerabilities, an essential indicator of a project’s responsiveness to security issues.
One of the challenges Intel faced when working with teams to improve the security of their repos was making sure they understood the exact things those teams were being marked down on in their scores. Fortunately, Scorecard has a wonderful flag you can use when running the tool yourself: –show-details. This flag is amazingly useful at letting teams know about the exact reasons a result was marked down. For example, if a team is scored badly on “Binary-Artifacts”, this option will list the exact binaries that were found along with the score. It’s truly helpful for teams.
Optimistic Future Ahead
Despite challenges, I am optimistic about the future of OpenSSF Scorecard and its potential to become an industry standard. There is a need for ongoing collaboration between Intel and the Scorecard team, emphasizing the importance of adding new checks and features to enhance the tool’s effectiveness
In conclusion, Intel’s experience with OpenSSF Scorecard reflects the evolving nature of open source security practices within large organizations. Scorecard helps give us valuable insights into the complexities we faced, uncovers vulnerabilities, and is part of our commitment to driving continuous improvement in securing open source projects.
About the Author
Ryan Ware is Director of Open Source Security at Intel Corporation. With a focus on Open Source Software (OSS) security, he’s an industry veteran comfortable at the intersection of open source software and security, whether implementing security features, finding vulnerabilities or helping teams use OSS securely. He also drives Intel’s efforts in the Open Source Security Foundation (OpenSSF).