SecAppDev 2025 lecture details
Reviewing 3rd party libraries security using Scorecards
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Download handoutsTuesday June 3rd, 14:00 - 15:30
Room West Wing
Abstract
Around 80% of applications rely on third-party code, but using 3rd party libraries comes with security risks. Updating dependencies helps, but what about malicious code or supply-chain attacks? OpenSSF’s Scorecard project offers a security assessment for packages, like what nutrition labels do on food.
In this session we start out with different area's covered by of OpenSSF Scorecard, like how well it's maintained and does the build use dangerous workflows? All combined will give us the ability to assess a library its security posture more easily and improve our own application security.
Key takeaway
Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Content level
Introductory
Target audience
Developers, Architects and Application Security Professionals
Prerequisites
None
Niels Tanis
Security Researcher, Veracode
Expertise: Application Security and software development
Related lectures
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland in room Lemaire
Tuesday June 3rd, 09:00 - 10:30
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
Break things, but not security: CI/CD done right
Deep-dive lecture by Gijs Van Laer in room West Wing
Monday June 2nd,
11:00 - 12:30
Also available as a recorded session on
Tuesday June 3rd,
14:00 - 15:30
Learn how to secure your CI/CD pipeline without slowing down. We cover risks, best practices, essential tools, real-world attacks, and how to justify your security investments.
Key takeaway: Secure CI/CD is achievable without sacrificing speed: start with key tools, embed best practices, and scale smart.