February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Wednesday, February 1 • 3:50pm - 4:25pm
How Do You Trust Your Open Source Software? - Naveen Srinivasan, Endor Labs & Brian Russell, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF https://github.com/ossf Scorecard https://securityscorecards.dev. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.

avatar for Naveen Srinivasan

Naveen Srinivasan

OSS Contributor, Indepedent
Naveen Srinivasan is a contributor and maintainer of multiple OpenSSF projects, a member and contributor to the Sigstoreorganization, and a contributor to the SLSA code base.His contributions have earned him recognition with Google Peer Bonus awards in 2021 and 2022. He has consistently contributed to the open-source community for an extended period, with no gaps in activity for the past two years.In addition to his technical contributions, He is a sought-after speaker at conferences, discussing topics related to supply chain security and mitigating... Read More →
avatar for Brian Russell

Brian Russell

Program Manager, Google

Wednesday February 1, 2023 3:50pm - 4:25pm PST
Room 613/614
  Supply Chains
  • Content Experience Level Any