Linux Security Summit Europe 2023

Can we calculate the security risk of a software repository based on its software development practices? A well-maintained project with a CI system, code-reviews & lots of users would be reasonably expected to be less risky than a project without those qualities. Software repositories contain a myriad of information that can be used to quantify these properties, and this forms the bases of the Open Source Security Foundation’s Scorecard project: distill it all into an easy-to-comprehend “Security Score” to quickly judge the potential risk of any open-source project. But do we really get software that’s less risky if it gets a high score on the Scorecard? How would we know? We argue that the metrics the Scorecard factors into its scoring system are equally applicable to predicting bugs in software. Since we have solid tools for finding bugs in C and C++ we can check to a certain degree if there is a connection between the two! We conducted automated scans on thousands of the most popular repositories on GitHub with a variety of state-of-the-art bug finding tools to see if we can find a relationship. In this talk we'll go through the details of our analysis and discuss the results.