By Randall T. Vasquez (Gentoo) and Best Practices for Open Source Developers Working Group
In recent years, open-source software’s rapid growth has allowed developers to reach new frontiers. Red Hat expects this growth to scale further over the next few years, with 80% of businesses expecting to increase their reliance on open-source in the coming years. However, this hasn’t come without its concerns. Recently, Snyk and The Linux Foundation reported that “51% of organizations (don’t) have a security policy for Open Source Software (OSS) development or usage”.
In response to the growing concern around open source software development, OpenSSF’s Best Practices for Open Source Developers Working Group (WG) has been diligently working with concerned members and community groups on a couple of new guides for developers and consumers of open source.
Concise Guide for Developing More Secure Software
Our first new guide, “Concise Guide for Developing More Secure Software,” is aimed at software developers of both open source and closed source software. The objective was to create a brief yet actionable rundown of what is expected of every developer and project. It advises a variety of actions, from ensuring all privileged developers use multi-factor authentication (MFA) tokens, to prominently documenting how to report vulnerabilities & prepare for them.
Concise Guide for Evaluating Open Source Software
Our second new guide, “Concise Guide for Evaluating Open Source Software,” is aimed at both developers and consumers of open-source software. The objective was to create THE go-to reference document for anyone considering using some open-source software. It recommends evaluating a potential OSS dependency for security and sustainability by considering questions like: Can you avoid adding it? Are you evaluating the intended version? Is it maintained? And many more.
Ideally, developers can use these guides as they write their code, contribute to community projects, or when tasked with incorporating OSS tools and projects into the work they are composing. Also, now that these concise guides are available, the broader community can contribute their ideas as secure development practices continue to evolve.