Skip to main content

Our Journey with the OpenSSF

· 3 min read
Cody Ebberson
Cody Ebberson
Medplum Core Team

At Medplum, our mission is to provide the open source developer platform for healthcare. We believe that open source is the best way to build secure and interoperable healthcare applications. However, with the rising concern over software supply chain attacks, we understand that being "open source" isn't enough; we need to actively prove our commitment to security.

That's why a few months ago, we decided to ramp up our participation in the Open Source Security Foundation (OpenSSF). We're excited to share the progress we've made in two of their key programs: the Best Practices Badge and the Scorecard.

OpenSSF Best Practices

The OpenSSF Best Practices Badge program provides a framework for open source projects to demonstrate that they follow security-related best practices. It's a comprehensive and detailed self-assessment that covers a wide range of topics, from secure development processes to vulnerability reporting.

We're incredibly proud to announce that the Medplum repository has achieved full "gold" status, the highest level a project can receive. This wasn't a simple task; it involved meticulously reviewing our processes and code to ensure we met every single requirement. You can view our full report here. This achievement validates our foundational commitment to building secure and reliable software.

OpenSSF Best Practices screenshot

OpenSSF Scorecard

While the Best Practices Badge is a self-assessment, the OpenSSF Scorecard is where the rubber truly meets the road. This automated tool analyzes your repository and verifies that your project actually adheres to critical security practices. When we first ran the Scorecard on our repository, the results were humbling. The tests are rigorous, and they don't hold back.

Over the past few months, we've worked tirelessly to improve our Scorecard results. We are proud to say that Medplum is now consistently scoring 9.5+ out of 10. We see this not as an endpoint, but as a continuous journey to push for a higher and higher score, ensuring our users can trust the security of our platform. You can see our current Scorecard results here.

OpenSSF Scorecard screenshot

Bigger Picture: Why This Matters

Our journey with the OpenSSF programs is not just about our project; it's about the state of open source security as a whole. A recent paper, “An Analysis of Supply Chain Security in Research Software,” highlights just how challenging this space is. The paper examines the Scorecard scores of 3,248 research software repositories, and the findings are eye opening.

The study found that the mean aggregate Scorecard score was 3.5, indicating a massive potential for improvement across the majority of scanned repositories.

OpenSSF Scorecard histogram

While these stats are a bit sobering, they underscore why our achievements with the Best Practices Badge and the high Scorecard rating are so important. They are a clear signal to our users and the community that we take supply chain security seriously and have gone above and beyond to build a platform that you can trust.

We will continue to be active participants in the OpenSSF community and programs, constantly striving to improve our security posture and contribute to a more secure open source ecosystem for everyone.