September 19-21, 2023
Bilbao, Spain
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central European Summer Time (UTC/GMT +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 19 • 15:40 - 16:20
Adventures in Securing an Open Source Project: From Repo Security Zero to Hero - Kara Olive & Pedro Nacht, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

There's been a sharp increase in known attacks on open source projects in recent years. If you’re new to open source development, you might not be aware of free tools and techniques for protecting your project. As members of the Google Open Source Security Team (GOSST), we created a real project with all the worst security practices we could fit into a single repository and then scored it with the OpenSSF Scorecard tool (which evaluates a project's use of security best practices and provides steps to remediate any weaknesses). We were able to bring the project’s score down to a 1.2/10 score, when just using GitHub's default settings would give you a 4.5! We then used Scorecard to guide us through securing the project from end to end, raising its score into the top 1% of the 1M+ projects rated by Scorecard. All the tools we used are freely available to developers, and this talk will focus on those most accessible to beginners. We’ll share lessons we learned from this effort, including: -Tips for getting started securing your own open source projects -Advice on choosing on-ramp improvements that give the best ratio of effort versus payoff -Examples of common actions that make your project susceptible to multiple threat vectors—plus the straightforward ways to mitigate them.


Kara Olive

Technical Writer, Google
Kara is a technical writer for the Google Open Source Security Team, which works to secure the open source projects that the world relies on. Her favorite part of the role is explaining security concepts to newcomers, including writing documentation for the OpenSSF Scorecard project... Read More →

Pedro Nacht

Software Engineer, Google
After working as a structural engineer, a developer for an engineering software firm, and a financial analyst, Pedro now works in Google's Open Source Security Team, with full-time dedication to improving the supply chain security of important open source projects.

Tuesday September 19, 2023 15:40 - 16:20 CEST
Room 0C (Floor 0)
  • Audience Level Any
  • Presentation Slides Attached Yes