SecAppDev 2025 lecture details
Reviewing 3rd party libraries security using Scorecards
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Schedule TBD
Abstract
Around 80% of applications rely on third-party code, but using 3rd party libraries comes with security risks. Updating dependencies helps, but what about malicious code or supply-chain attacks? OpenSSF’s Scorecard project offers a security assessment for packages, like what nutrition labels do on food.
In this session we start out with different area's covered by of OpenSSF Scorecard, like how well it's maintained and does the build use dangerous workflows? All combined will give us the ability to assess a library its security posture more easily and improve our own application security.
Key takeaway
Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Content level
Introductory
Target audience
Developers, Architects and Application Security Professionals
Prerequisites
None
Join us for SecAppDev. You will not regret it!
Grab your seat now
Niels Tanis
Security Researcher, Veracode
Expertise: Application Security and software development
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
Navigating the Security Landscape of Modern AI
Deep-dive lecture by Vera Rimmer
In this session, we will overview the general security landscape of AI technologies, including foundational machine learning, deep learning, and large language models.
Key takeaway: Integrating AI inevitably increases the threat landscape of a system. Understanding how AI can be exploited is key to developing effective mitigations
OpenAPI as a security tool, not just documentation
Deep-dive lecture by Philippe De Ryck
OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.
Key takeaway: A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.