Implementing OSSF Scorecards Across an Organization

Abstract

Open Source Security Foundation (OSSF) Scorecards provide a way for open source users to determine whether maintainers are being diligent about securing their link in the software security supply chain. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.

This presentation will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across and organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.

Speaker

Chris Swan

Engineer @atsigncompany

Chris Swan is an Engineer at Atsign, building the atPlatform, a technology that is putting people in control of their data and removing the frictions and surveillance associated with today’s Internet. He was previously a Fellow at DXC Technology where he held various CTO roles. Before that he held CTO and Director of R&D roles at Cohesive Networks, UBS, Capital SCF and Credit Suisse, where he worked on app servers, compute grids, security, mobile, cloud, networking and containers. Chris co-hosts the Tech Debt Burndown Podcast and is a Dart Google Developer Expert (GDE).

    Read more
    Find Chris Swan at:

    Date

    Wednesday Jun 14 / 04:10PM EDT ( 50 minutes )

    Location

    Dumbo / Navy Yard

    Topics

    Security Open Source GitHub Supply Chain CI/CD

    Share

    Share Share

    From the same track

    Session

    Maximizing Performance and Efficiency in Financial Trading Systems through Vertical Scalability and Effective Testing

    Wednesday Jun 14 / 10:35AM EDT

    In the fast-paced world of financial trading, speed, and efficiency are essential. To achieve this, vertical scalability is crucial in order-processing systems. However, achieving vertical scalability can be a significant challenge for developers. That's why testing is critical.

    Speaker image - Peter Lawrey

    Peter Lawrey

    CEO @Chronicle_SW

    Session Data

    Performance and Scale - Domain-Oriented Objects vs Tabular Data Structures

    Wednesday Jun 14 / 11:50AM EDT

    Working with large data structures in memory poses certain restrictions on performance and scalability.

    Speaker image - Donald Raab

    Donald Raab

    Managing Director and Distinguished Engineer @BNY Mellon

    Speaker image - Rustam Mehmandarov

    Rustam Mehmandarov

    Chief Engineer @Computas AS

    Session API Security

    Protecting APIs in Financial Services with Zero Trust Overlay Mesh Networks

    Wednesday Jun 14 / 01:40PM EDT

    As a senior software developer in the financial services industry knows, protecting APIs from cyber threats and attacks is critical.

    Speaker image - Clint Dovholuk

    Clint Dovholuk

    Head of Developer Experience @OpenZiti / NetFoundry

    Session Fintech

    Portfolio Analysis at Scale: Running Risk and Analytics on 15+ Million Portfolios Every Day

    Wednesday Jun 14 / 05:25PM EDT

    In finance, many common calculations are more or less just linear algebra – but at a massive scale and done very fast.

    Speaker image - William Chen

    William Chen

    Director and Technical Fellow @BlackRock

    Session

    Unconference: Next Gen Fintech

    Wednesday Jun 14 / 02:55PM EDT

    What is an unconference? An unconference is a participant-driven meeting. Attendees come together, bringing their challenges and relying on the experience and know-how of their peers for solutions.