Open-source software saves time on development but should be taken carefully, as the code is in the hands of maintainers and contributors you know nothing about.
🚩The threat of intentionally weaponizing open-source tools by criminals is growing every year. Recently, novel risks have emerged: developers living in oppressed countries are being pushed into introducing backdoors involuntarily.
⚠️ Backdoors and vulnerabilities introduced into OSS can cause ruinous aftermaths.
One of the ways to prevent them is to employ vulnerability scanners for analyzing third-parties libraries your project uses, but, unfortunately, sometimes they alert too late.
Another option entails identifying and quantifying security risks linked to third-party libraries before adding them to your product.
To help developers avoid risks associated with weaponizing OSS, our security engineers have built a RepoMetaScore. It’s a tool that collects information about the project and its contributors, analyzes it, and calculates risk ratings by several criteria: GitHub and Twitter profiles, location, commit history, email domain, etc.
💡 Note, that RepoMetaScore (📥 GitHub) should not be used as the only tool for assessing open-source repositories’ credibility. Use it wisely as an additional tool for mitigating current threats in open source.
Repometascore uses public information disclosed by contributors themselves. RepoMetaScore collects such info through the APIs and calculates results as a risk rating. It can be the first tool in a series of security checkup developers go through when deciding whether to add a certain project or not.
Provide RepoMetaScore with a link to a repository-in-question—and get the risk rating results and general information about repository contributors.