How to trust open source software: A conversation with OpenSSF's Naveen Srinivasan

ConversingLabs caught up with Srinivasan to discuss how OpenSSF's Security Scorecard can aid developers in assessing open source software components for their projects.

conversinglabs podcast title card how do you trust open source software

For software engineers to keep up with the pace of software delivery in the world of continuous delivery/continuous integration (CI/CD), they rely on open source codebases to meet deadlines and create a quality product. But while open source code is essential to developers — it has also become a major problem for secure software development.

The Synopsis 2021 Open Source Security and Risk Analysis Report found that 84% of all scanned codebases have at least one software vulnerability, with an average of 158 per codebase. This makes it incredibly easy for developers to accidentally use open source components that could have potential security vulnerabilities in them, creating application security and software supply chain security risk.

The effort to review open source code for vulnerabilities is also a tedious task, making it less likely that harried software developers will review these dependencies to assess their security risk. This is why open source software developers created an essential tool known as OpenSSF Scorecard (also known as Security Scorecard). The tool, which is part of the Open Source Security Foundation, assesses open source projects for security risks through a series of automated checks.

At this year’s RSA Conference in San Francisco, one of Security Scorecard’s maintainers, Naveen Srinivasan, presented alongside Brian Russell of Google to share how Security Scorecard works and why it’s an essential tool in better securing software applications and supply chains.

ConversingLabs host Paul Roberts caught up with Srinivasan on the sidelines of RSAC to follow up with him on his presentation. The two discussed the following:

What Security Scorecard is
How the tool fits into the application security ecosystem
What dangers are currently present to the development process
How software vulnerabilities compare to other supply chain risks

Here is their conversation, ConversingLabs: How Do You Trust Open Source Software?:

The ConversingLabs episode is also available to watch on-demand — or listen to wherever you get your podcasts.

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and replay our Webinar to learn how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see our related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

How to trust open source software: A conversation with OpenSSF's Naveen Srinivasan

ConversingLabs caught up with Srinivasan to discuss how OpenSSF's Security Scorecard can aid developers in assessing open source software components for their projects.

Keep learning

Spectra Assure Free Trial