The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program, all available on the edX platform. This material is intended for all software developers so they can learn to develop secure software. It focuses on practical steps that any software developer can easily take, not theory or actions requiring unlimited resources.
Those interested can sign up starting October 29, 2020. The course material is expected to be released on November 5, 2020. For more information click here.
Almost all software is under attack today, and many organizations and developers are unprepared in their defense. The Secure Software Development Fundamentals courses will enable software developers to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired. The best practices covered in this program apply to all software developers, and include information especially useful to those who use or develop open source software.
Today 48% of technical hiring managers stated hiring professionals with security expertise is a high priority (as reported in the 2020 Open Source Jobs Report), so there is not a better time to engage in this course. Similarly, Security Software Developers earn 35% more than Software Developers in a US nationwide average (according to ZipRecruiter Sep 25, 2020 data).
The courses in this program discusses risks and requirements, design principles, and evaluating code (such as packages) for reuse. It then focuses on key implementation issues: input validation (such as why allowlists and not denylists should be used), processing data securely, calling out to other programs, sending output, cryptography, error handling, and incident response. This is followed by a discussion on various kinds of verification issues, including different kinds of security tools. The program concludes with a discussion on deployment and vulnerability reporting.
Chris Aniszczyk (CTO of Cloud Native Computing Foundation (CNCF)) said, “In today’s world where more companies are using more software, becoming software companies themselves and everything is becoming connected, security education is more important than ever. At CNCF, we are excited about this new security professional certificate, and intend to have all of our project leadership pass the courses in the program and recommend you do the same in your communities.”
Software developers can take each of the three courses at no cost. They can enroll at any time, and they will then have limited-time access to the course material on EdX. Developers who wish to prove mastery of the material (or have unlimited access time to the material on EdX) can enroll in the Secure Software Development Fundamentals Professional Certificate program for a fee. The courses included in the program are:
- Secure Software Development: Requirements, Design, and Reuse (LFD104x)
- Secure Software Development: Implementation (LFD105x)
- Secure Software Development: Verification and More Specialized Topics (LFD106x)