Viktor Petersson logo


Follow Me

Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.

Podcast Image
Episode 9
Chris Swan

Mastering OpenSSF Scorecards & SBOMs with Chris Swan

Play On Listen to podcast on YouTube Listen to podcast on Spotify Listen to podcast on Apple Listen to podcast on Amazon music
21 APR • 2024 59 mins

In this episode of “Nerding Out with Viktor,” today’s guest is Chris Swan, a veteran of the London tech scene. Viktor and Chris recently reconnected at State of OpenCon in London, where Chris presented on OpenSSF Scorecards. Intrigued by the topic, Viktor invited Chris to the show to delve deeper into the concept.

Chris introduces himself, sharing his background as an engineer at AtSign, a company developing a networking 2.0 platform focused on end-to-end encrypted connections. He explains how his role in security-critical functionalities at AtSign led him to OpenSSF and Scorecards. Chris also provides a brief history of his career, starting from the Royal Navy as a combat systems engineer, transitioning through the dot-com bubble, financial services, and various roles in IT services and startups.

Viktor asks Chris to elaborate on OpenSSF, the Open Source Security Foundation, which is relatively new and part of the Linux Foundation. Chris explains that OpenSSF, driven initially by Google, aims to improve security across the open-source ecosystem. He highlights how the Scorecard project within OpenSSF allows organizations to demonstrate their commitment to security.

Chris explains how AtSign adopted Scorecards to show their dedication to security, especially for their open-source repositories. He notes that Scorecards provide a visual indicator of security practices, which has been effective in addressing potential customers’ security concerns.

Viktor inquires about the applicability of Scorecards to private repositories. Chris affirms that while the Scorecards are particularly beneficial for public repositories, they can also drive good security practices internally within organizations, even for private repositories.

Chris then delves into the specifics of Scorecards, explaining the various metrics they evaluate, such as dependency management, CI/CD practices, static and dynamic analysis, and compliance with OpenSSF best practices. He describes how Scorecards parse GitHub workflows and other indicators to assess these metrics, encouraging a culture of security within the development process.

Viktor and Chris discuss the impact of Scorecards on development practices, emphasizing the cultural shift towards better security hygiene. They also touch on the challenges of maintaining quick feedback cycles in CI/CD pipelines while integrating comprehensive security checks.

The conversation shifts to SBOMs (Software Bill of Materials), with Chris explaining their importance in providing transparency about software dependencies and potential vulnerabilities. He outlines the genesis of SBOMs, driven by a US executive order, and their role in supply chain security. Viktor and Chris discuss the challenges and current state of SBOM tooling and its integration into CI/CD workflows.

Chris provides a brief overview of NIST 2.0, the updated cybersecurity framework released recently, noting its emphasis on governance and the inclusion of newer security paradigms. He emphasizes the evolving landscape of cybersecurity standards and their implications for organizations.

As the episode wraps up, Chris highlights AtSign’s open-source product, SSH NoPorts, which allows for remote administration without open ports. He encourages listeners to explore this tool, especially those dealing with IoT devices and home labs.

Viktor thanks Chris for the insightful discussion, and the episode concludes with an invitation to listeners to check out AtSign and SSH NoPorts for more information.

Found an error or typo? File PR against this file.