Open source software (OSS) is now the backbone of countless projects, making up as much as 90% of the modern software application. While the collaborative nature of OSS brings immense benefits, it also opens companies to security risks. Understanding the security posture of your dependencies is crucial, and thankfully, tools like OpenSSF Scorecard and Bitergia Risk Radar are designed to help.
But what exactly are these tools, and how do they differ? More importantly, when should you choose one over the other? Let’s delve into the details and highlight some of the unique innovations of Bitergia Risk Radar.
What Both Have in Common
Both of these offerings give companies visibility into the otherwise opaque open source projects they rely on. Both were created to provide organizations with data about those projects—data that can aid in effective decision-making and open source risk management. Organizations can decide to accept the risk, or they may decide to use a different project instead, or even to reach out to the project and engage with it.
Both also provide a simple score for each dependency on a scale from 1-10:
- OpenSSF Scorecard assigns a score (and optionally a badge) to a project based on the number of checks that pass. This provides a quick visual indicator of the project’s security maturity, and then users can make decisions about what to do with projects with lower scores.
- Bitergia Risk Radar provides a simple risk score that can help users focus their attention on dependencies that need further investigation. A score of 10 means a project is “Very High Risk,” while a 1 signifies sustainability and effective maintenance. The score is an aggregate of key project health metrics, which users can then drill down into to get a deeper analysis of each dependency.
There is some overlap in the types of data these two offerings assess, but not much–What each of these offerings looks at and how they approach risk assessment differ greatly.
OpenSSF Scorecard: A Quick Check on Project Security Posture
The image of the armoured goose holding up a scorecard reading “10” is a prominent one in the open source world. The OpenSSF Scorecard is an initiative by the Open Source Security Foundation (OpenSSF) that automatically assesses the security posture of open source projects. It does this by analyzing various signals related mostly to the project’s infrastructure, though also, to some extent, to its maintenance.
Here are the aspects and some of the questions about dependencies that OpenSSF Scorecard addresses:
- Does the project have unfixed vulnerabilities?
- Does the project have issues with maintenance? For example, does it use tools to help update its dependencies, have a security policy, or declare a security license?
- Does the project perform continuous testing? This includes CI testing, fuzzing, and use of SAST.
- Does the project have source risks, such as lack of branch control and code review?
- Does the project have build risks? For example, do they have a lack of pinned dependencies or token permissions?
In addition to the risk score, which is an aggregate of the topics above, the tool provides automated prompts to help with fixing many of the problems it detects. These recommendations make the Scorecard useful also for project owners and maintainers, guiding them to improve the security posture of their project.
Bitergia Risk Radar: A Comprehensive View of Dependency Risk at Scale
Bitergia Risk Radar takes a more comprehensive and human-centric approach to assessing software supply chains. It evaluates dependencies by using SBOMs as inputs, providing a bird’s-eye view of hundreds of thousands of dependencies at a time. Bitergia’s data scientists developed this offering because there was no existing model that could provide a sweeping analysis of a software supply chain at scale. There was also nothing else that delved so completely into the sustainability and maintainability of open source projects.
Bitergia Risk Radar takes a human-centric approach. Its core focus is on project health, which is the overall well-being and resilience of a software development project from a social point of view. “Social,” in this case, refers to the contributor community and their development activity. A healthy project– one that has a thriving community and efficient activity– is resistant to attacks and sustainable over the long term.
On the flip side, an unhealthy project poses risk. And organizations have a responsibility to know that risk and to act on it. The next section delves into the metrics that the Bitergia Risk Radar uses to detect project warning signs.
Community Risk Metrics Help Ensure Project Sustainability
Bitergia Risk Radar uses key metrics to analyze the sustainability of projects based on community dynamics and development processes. A declining or inactive community, for example, can be a significant risk factor that leaves a project open to attacks. Bitergia developed this service to help large companies predict where threats in the software supply chain are most likely to happen–before they become costly problems.
Bitergia Risk Radar focuses on seven key metrics to evaluate the maintenance and sustainability of dependencies. For some companies and projects, other metrics are more relevant, and so Bitergia uses those. However, all of these metrics fall into three categories:
- Community sustainability indicators:
- How sustainable is the project?
- Does the project depend on only a few people?
- What is the inflow of active contributors that can sustain the project? How many of the existing contributors are leaving the project? Is this ratio well-balanced?
- How is the number of people currently active in the project evolving?
- Process-oriented metrics and good practices:
- How efficient and effective are the maintainers in addressing its issues?
- How efficient and effective are the maintainers in addressing its pull requests?
Once Bitergia Risk Radar has provided the risk scores, companies can then drill down to see the breakdown of those scores. They can identify any specific weakness in the community activity– whether it’s insufficient maintenance or efficiency, or something else.
From there, companies can take action. The information this tool can provide is invaluable to setting up processes, allocating resources, and setting hearts at ease that the dependencies underlying their projects are sustainable.
Bitergia Risk Radar Focuses on Developer Communities
Many essential tools exist to help companies manage their open source dependencies. The most common of these perform scans for existing vulnerabilities. OpenSSF Scorecard takes this scanning a step further and also gives visibility into the security infrastructure of open source projects (source risks, build risks, etc,). Bitergia Risk Radar fills a gap in open source risk management. It recognizes that open source projects are primarily social. And so the maintainability and sustainability of a project over the long term–and its openness to attacks–is dependent on the community that underlies it.
When it comes to assessing open source risk from a social perspective, Bitergia Risk Radar is the only tool that does this. The chart below shows how OpenSSF Scorecard compares when analyzing maintainer activity:
Software supply chain attacks are on the rise. At the same time, new legislation requires companies to be responsible for their supply chains over the long term. That’s why it’s more crucial than ever for companies to know the weaknesses in the open source communities behind dependencies. That way, they can make critical decisions about where to invest their attention and resources. And they can get ahead of costly problems before they arise.
Bitergia Risk Radar Is Less Prescriptive & More Inclusive
The Bitergia Risk Radar takes an inclusive approach. The risk model looks at open source projects of all types and analyzes the existing open source projects, accepting them for their current state. We do not make any demands on the projects to change themselves.
This is in contrast to the OpenSSF Scorecard, which was developed with the goal of influencing security best practices in open source projects to have a particular security infrastructure. The gameability of the Scorecard is by design. Individual metrics are tied to very specific configurations that the projects can do, and enabling those safety critical settings improves the scorecard score.
The focus of Bitergia Risk Radar is on the community dynamics in the entire software supply chain, rather than the security infrastructure of a particular project. That’s why its intent is less to make quick fixes, and more to have an in-depth understanding that can drive overall open source strategy and decision-making.
When to Use Which Tool
OpenSSF Scorecard: Is an excellent starting point for quickly and easily assessing the basic security posture of an open source project. It focuses on a project’s infrastructure, and gives prescriptive recommendations for areas of improvement.
- It’s a valuable tool for developers and teams looking for a high-level overview of a project’s security posture in terms of its infrastructure and existing vulnerabilities.
Bitergia Risk Radar: Is built for organizations that require a more in-depth, big-picture approach to managing open source supply chain risk at scale.
- Its focus on social activity and efficiency is truly unique. It is also urgent at a time when supply chain attacks are on the rise and new legislation like the CRA requires companies to be responsible for their supply chains over the long term.
Conclusion
Both OpenSSF Scorecard and Bitergia Risk Radar play important roles in reducing open source risk. While Scorecard offers a valuable assessment of current project infrastructure and vulnerabilities, Bitergia Risk Radar provides a more holistic and contextual understanding of risk by analyzing community activity and efficiency.
Bitergia Risk Radar offers a window into the community dynamics that will help determine whether or not dependencies are sustainable over the long term. It is the more proactive approach, helping companies know their risk well before a costly threat comes about.
Learn more about Bitergia Risk Radar or schedule a conversation to discover if this is the right approach for your organization.
This blog post was written by Julia Lawson, with help from Georg Link, Luis Cañas-Díaz, Miguel Ángel Fernández Sánchez, and Jamie Ayala.
