Checklist for Developing More Secure Software#
Here is a concise guide for all software developers for secure software development, building, and distribution. All tools or services listed are merely examples.
Ensure all privileged developers use multi-factor authentication (MFA) tokens. This includes those with commit or accept privileges. MFA hinders attackers from “taking over” these accounts.
Learn about secure software development. Take, e.g., see Security By Design Playbook.
Use a combination of tools in your CI pipeline to detect vulnerabilities. See the OpenSSF guide to security tools. Tools shouldn’t be the only mechanism, but they scale.
Evaluate software before selecting it as a direct dependency. Only add it if needed, evaluate it (see Concise Guide for Evaluating Open Source Software, double-check its name (to counter typosquatting), and ensure it’s retrieved from the correct repository.
Use package managers. Use package managers (system, language-level, and/or container-level) to automatically manage dependencies and enable rapid updates.
Implement automated tests. Include negative tests (tests that what shouldn’t happen doesn’t happen) and ensure the test suite is thorough enough to “ship if it passes the tests”.
Monitor known vulnerabilities in your software’s direct & indirect dependencies. E.g., enable basic scanning via GitHub’s dependabot or GitLab dependency scanning. Many other third party Software Composition Analysis (SCA) tools are also available. Quickly update vulnerable dependencies.
Keep dependencies reasonably up-to-date. Otherwise, it’s hard to update for vulnerabilities.
Do not push secrets to a repository. Use tools to detect pushing secrets to a repository.
Prominently document how to report vulnerabilities & prepare for them.
Make it easy for your users to update. Implement stable APIs, e.g., support old names when new ones are added. Use semantic versioning. Have a deprecation process.
Earn an OpenSSF Best Practices badge for your open source project. At least earn “passing”. Plan and roadmap to eventually earn silver & gold.
Notify the community of vulnerabilities in your project. Publish security advisories with accurate & precise information, e.g., what usage & versions are vulnerable, mitigations, and fixed version(s). Get a CVE ID. On GitHub, create your security advisory & request a CVE.
Improve your Supply chain Levels for Software Artifacts (SLSA) level. This hardens the integrity of your build and distribution process against attacks.
Onboard your project into LFX Security if you manage a Linux Foundation project.
Apply SAFECode’s Fundamental Practices for Secure Software Development.
Complete a third-party security code review/audit. Expect this to be USD$50K or more.
Continuously improve. Improve scores, look for tips, & apply as appropriate.
Manage succession. Have clear governance & work to add active, trustworthy maintainer(s).
Prefer memory-safe languages. Many vulnerabilities involve memory safety. Where practical, use memory-safe programming languages (most are) and keep memory safety enabled. Otherwise, use mechanisms like extra tools and peer review to reduce risk.
Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2023-06-14