SOSS Fusion 2024

The US Department of Defense, like many industrial, academic, and government institutions across the world, are intricately dependent on open source software and seek concrete means to objectively assess the trustworthiness of not only the products of the OSS ecosystem but also the processes enacted by projects to produce that software. One such DoD project, Unified Platform, is developing techniques to evaluate publicly available information from OSS projects to determine the risk levels associated with using the open source software, both now and in the future. Current efforts are concentrating on evaluating a project’s processes, policies, and practices. This includes leveraging tools such as MITRE’s Hipcheck, the Open Source Security Foundation’s Scorecard, and other sources to support Unified Platform's Software Approval Process and Software Supply Chain Practices. This presentation will cover how these techniques are providing the insight needed by this DoD project to address emerging DoD guidance in the use of open source software.