Guest Blog

Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ‘bolt-on’. That has rapidly changed over the last two years. Now, the world has finally realised that security needs to be ‘baked-in’, not ‘bolted-on’. Meaningful and impactful improvements can be achieved in OSS security engineering and development across ecosystems if the work is directed by non-profit foundations and financially supported by a plurality of public and private bodies on an ongoing basis.

Scorecard is becoming a key part of IBM’s review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues in modern SW supply chains and believes an important part of this effort is to help the open-source ecosystem improve the overall security of OS projects.

Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the Eclipse Foundation, the Rust Foundation, and the Open Source Security Foundation (OpenSSF) partnered to field a software supply chain security survey.

A new report by the Atlantic Council’s Cyber Statecraft Initiative helps draw light on the question on what “open source as infrastructure” really means, and why it matters: Avoiding the success trap: Toward policy for open-source software as infrastructure.

The widespread use of software bill of materials (SBOMs) arguably depends on SBOM quality—that SBOMs contain sufficient and accurate information for the intended user to achieve their goals. But, until recently, it has been difficult to measure SBOM quality. New SBOM quality tools, a new SBOM dataset, and new SBOM quality research changes this state of affairs though. What do these new tools, datasets, and research findings say about the current state of SBOM quality? And how can you make high-quality SBOMs?