For many, writing a computer program isn’t that hard—it simply requires a certain amount of structural and logical thinking and a clear understanding of the syntax of the language you are using.
Developing software with a greater security posture adds an extra layer of complexity to this process, however, something which not all developers understand or are able to achieve. Open source can help. Open source developers, security researchers, and auditors can see your code, spot potential flaws, and perhaps even help you make fixes.
This doesn’t mean that the developers are free to write insecure software assuming people will correct the flaws or errors for free—it actually means that they now have a greater responsibility to create high-quality code that is free of known vulnerabilities.
If you are an open source software developer or project lead, there are several things you can do to help develop software that is more secure.
1. Learn everything you can
Learning about security and how to develop code securely is a good starting point. There are several resources which are available online, most of which are free (in the true open source spirit), including:
- Secure Software Development Fundamentals Courses from OpenSSF is an excellent starting point.
- Red Hat Developers’ You’ve Got Microservices… Let’s Secure Them! talks about securing microservices and includes links to other secure coding guides.
- The Fedora project defensive coding guide is a good starting point if you want to learn language-specific quirks, etc.
- Also, try looking at the CVE database of previously found security flaws. These often contain links to references and can be an important way to learn how these vulnerabilities were caused in the first place.
2. Get your code peer-reviewed
- If you are a team of developers then great, you already have teammates who can peer review your code before you commit.
- If you are a sole developer, no problem! Asking for help on public forums or mailing lists should be fine. Just get another set of eyes on your code—it always helps!
3. Use free security tools
- There are plenty of free security analysis tools available on the internet. These range from free source code scanners to threat modeling tools and even binary analysis tools which you could use.
- Even those which provide basic functionality for free can help provide important insights into your project.
4. Have a process to respond to vulnerabilities
- Secure software development is not only about detecting flaws early but is also about responding to issues that are detected after code has been shipped to customers and users.
- Have a place to report security issues—probably an email address—and make sure this is properly advertised on the project page. Some reporters only like to send encrypted emails, so think about how you want to handle this.
- Respond to reporters in a timely fashion. Any issues fixed should also be converted to security advisories and prominently displayed on the project page so that customers and users know if their version of the software is vulnerable or not.
5. Network and keep yourself updated
- Doesn’t this apply to everything? As a developer you keep yourself updated with the latest technologies or even the newest languages, so spend a few extra cycles to stay up to date on the latest attacks and the newest tools available. In the end, it should all be worth it!
6. Understand your weakest links
We all know the proverb: A chain is only as strong as its weakest link. This is also true for secure software development. As a developer, you use all methods you can to make your code as secure as possible, but there are other factors at play. Here are some things to keep in mind.
- How secure is your build toolchain? If you are distributing pre-built binaries along with your code, how secure are your compilers, linkers, and other build toolchain components? Are you using the correct flags while building?
- Where is your source code hosted? If it is a cloud-based git repository, who else has access to the code, and how secure are your credentials?
- Do you sign your source-code tarballs? Do you use any modern tools like sigstore to ensure transparency?
Thinking about securely developing your code is a process, and it takes time to train developers and reviewers to have the right mindset for this process. In the end, however, a diligent process helps both the consumers of the code as well as the developers. If you’re a developer, there is plenty of help available and it is only a question of learning the right methods and tools to get on the right path.
