How Secure Is Academic Open Source? Insights From the UC OSPO Network

Explore the security landscape of academic open source software through a comprehensive analysis of the University of California's OSPO Network initiative. Learn about the unique security challenges facing academic institutions that produce substantial amounts of open source software, particularly in scientific research, where security often takes a backseat to functionality. Discover how many academic developers lack formal training in secure coding practices, leading to widely-used tools that may remain vulnerable or poorly maintained over time. Examine the critical role that University Open Source Program Offices (OSPOs) play in addressing these gaps by promoting sustainability and implementing better development practices across academic institutions. Gain insights into the UC-wide effort to build a comprehensive dataset of UC-affiliated GitHub projects and assess their security posture using industry-standard tools including OpenSSF Scorecards, static analysis techniques, contributor centralization metrics, and dependency analysis frameworks. Review preliminary findings from this large-scale assessment and understand the specific challenges that make academic software development unique compared to commercial software development. Explore a reproducible methodology that other universities can adopt to evaluate and improve their own open source security practices. Understand how this research reveals both limitations in current security tooling and new opportunities for OSPOs to better support researchers in creating safer, more sustainable academic open source projects.