Google has released a new tool for developers that automates the process of saving projects and verifies certain attributes to ensure that the project has not been compromised. The new security tool is called AllStar and is designed to test and determine if certain critical features have changed.
The AllStar, combined with another Google tool called score card, gives project maintainers reassurance that their security settings are accurate, according to Jeff Mendoza, lead engineer at Google AllStars.
If developers want, they can also use the software score card to evaluate their project and then automatically provide the appropriate policies with AllStar.
Based on 18 distinct criteria, Scorecard evaluates projects, such as whether they are automatically updated, and uses an automated vulnerability detection method to detect defects that are easy to detect.
According to his announcement OpenSSF, Google released available the tool in an effort to have software like AllStar that anyone can use. The software monitors a repository on GitHub and checks the project to ensure that no unwanted changes are made. The configuration settings are compared to the project security policy and if they do not match, there are "penalties".
Mendoza reports
With the popularity of open source, attackers see a hacked project as a way to penetrate both closed and open systems. Attacks are made from her side chainς εφοδιασμού: είτε με επιθέσεις στην βάση του κώδικα, είτε με injections somewhere between the code and the way a project has been developed and used in other systems.