David A. Wheeler's Blog

Sun, 13 Dec 2020

FLOSS Weekly #609!

I’m currently scheduled to be a guest on FLOSS Weekly on Wednesday, 2020-12-16, at 12:30pm Eastern Time (9:30am Pacific, 17:30 UTC). The general topic will be about Linux Foundation work on improving Open Source Software security.

Please join the live audience or listen later. I expect it will be interesting. I expect that we’ll discuss the Open Source Security Foundation (OpenSSF), the Report on the 2020 FOSS Contributor Survey, the free edX trio of courses on Secure Software Development Fundamentals, and the CII Best Practices Badge program.

path: /security | Current Weblog | permanent link to this entry

Report on the 2020 FOSS Contributor Survey

It’s here! You can now see the Report on the 2020 Free and Open Source Software (FOSS) Contributor Survey! This work was done by the Linux Foundation under the Core Infrastructure Initiative (CII) and later the Open Source Software Foundation (OpenSSF), along with Harvard University.

path: /security | Current Weblog | permanent link to this entry

Secure Software Development Fundamentals

If you develop software, please consider taking the free trio of courses Secure Software Development Fundamentals on edX that I recently created for the Linux Foundation’s Open Source Security Foundation (OpenSSF). The trio of courses is free; if you want to get a certificate to prove you learned it, you can pay to take some tests to earn the certificate (this is how many edX courses work).

Here’s a brief summary:

Almost all software is under attack today, and many organizations are unprepared in their defense. This professional certificate program, developed by the Open Source Security Foundation (OpenSSF), a project of the Linux Foundation, is geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, focusing on practical steps that can be taken, even with limited resources to improve information security. The program enables software developers to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired. The best practices covered in the course apply to all software developers, and it includes information especially useful to those who use or develop open source software.

The program discusses risks and requirements, design principles, and evaluating code (such as packages) for reuse. It then focuses on key implementation issues: input validation (such as why allowlists and not denylists should be used), processing data securely, calling out to other programs, sending output, cryptography, error handling, and incident response. This is followed by a discussion on various kinds of verification issues, including tests, including security testing and penetration testing, and security tools. It ends with a discussion on deployment and handling vulnerability reports.

The training courses included in this program focus on practical steps that you (as a developer) can take to counter most common kinds of attacks. It does not focus on how to attack systems, how attacks work, or longer-term research.

Modern software development depends on open source software, with open source now being pervasive in data centers, consumer devices, and services. It is important that those responsible for cybersecurity are able to understand and verify the security of the open source chain of contributors and dependencies. Thanks to the involvement of OpenSFF, a cross-industry collaboration that brings together leaders to improve the security of open source software by building a broader community, targeted initiatives, and best practices, this program provides specific tips on how to use and develop open source secur

I also teach a graduate course on how to the design and implementation of secure software. As you might expect, a graduate course isn’t the same thing. But please, if you’re a software developer, take the free edX, my class, or in some other way learn about how to develop secure software. The software that society depends on needs to be more secure than it is today. Having software developers know how develop secure software is a necesary step towards creating that secure software we all need.

path: /security | Current Weblog | permanent link to this entry