Hello, welcome to the Thursday, November 12, 2020 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Well, in case you missed it, we had another traffic analysis quiz by Brad, where he does present a

P-CAP of an actual infection, and then

you get to analyze it and in this case figure out what kind of infection, what type of malware

was used in this case. So a pretty neat way to hone your skills, and of course Brad will for sure shortly post

a solution to this quiz.

And the Open Source Security Foundation has published its first of real product after being

initiated this summer by the Linux Foundation, and that's

security scorecards for open source projects.

The problem that's trying to solve is that when you're using a particular open source project,

it's really hard to sort of gauge how secure,

insecure a particular project is. So they're now publishing an automatable scorecard

that is going to help to judge the security posture of open source projects.

So of course, this has a little bit a checklist feeling to it, but I think the items they're

looking for do make sense, for example, is there a code review being done?

They're really just checking if one is done, not whether or not it's done right or wrong, or are they using, for example, some fussing, are they using some static code analysis?

I think it makes a ton of sense.

Of course, can always find someone who says, hey, but if I just do a code review and I don't really put any effort in it, I still have insecure software.

That's not really what this is trying to solve.

It just shows if you bother to do a code review that you have thought at least somewhat about security.

And it's better than not doing a code review.

...