By Christopher “CRob” Robinson, Director of Security Communications, Intel IPAS & OpenSSF Working Group Community Member and Lead
This month, we present a spotlight on one of our OpenSSF Working Groups: the Best Practices for Open Source Developers Working Group. Learn more about the purpose and activities of our working group, what we’ve been working on in the past few months, and how you can get involved with our initiatives.
The goal of the Best Practices Working Group is to provide open source developers with recommendations on best practices around development and security. This working group focuses on providing developers with guidance and tools in order with an easy way to learn and apply them and has been part of the OpenSSF since the very beginning as one of its original working groups.
Highlights of the Past Few Months
In the fall of 2022, the working group created a series of Concise Guides: articles that bring together best practices around open source software development and management. This includes guides on developing more secure software, evaluating open source software, and using the npm package manager. These documents provide users and developers of open source software fast and simple references of the best ways to quickly improve the security of the software they write or use.
We also develop and maintain the OpenSSF Best Practices Badge. The Badge program allows OSS projects to demonstrate that they follow best practices and provides an electronic badge to showcase their expertise. Another amazing tool is Scorecard, which is an automated tool that assesses projects based on various heuristics associated with software security best practices. Both systems have continued to grow in usage, with Scorecard in particular used by over 500 projects. Scorecard also recently released an API that is now generally available.
New and Upcoming Initiatives
We are working on creating new guides and best practices documentation to help developers get access to tools and knowledge to make their jobs easier and more secure. The first one is a guide of best practices around source code management. This is intended for users and consumers of forums like GitHub, GitLab, or other software hosting providers, giving them best practices on how to configure and use those types of environments. We are also working on a Best Practices Guide around C/C++ Compiler Hardening Options, which focuses on compiler flags that should be used for C/C++ to best improve an application’s security posture. This is a true cross-technology and cross-industry effort with participants from many of the most popular compiler communities assembling to “compile” this great security advice.
The working group also has a new special interest group focused on education, called EDU.SIG. The purpose of EDU.SIG is to create educational materials around software development best practices that are open and widely accessible. Originally based on educational initiatives in the OpenSSF Mobilization Plan Stream 1, we’ve submitted a proposal with our updated plan for review by the OpenSSF Technical Advisory Council (TAC) and Governing Board (GB). Our DEI Subcommittee has also worked on compiling resources and creating educational opportunities around improving access and representation within open source security and education. The goal is to improve opportunities for underserved committees, as the Subcommittee presented in the March OpenSSF Town Hall.
We are also making a podcast series around all of these great secure development best practices in order to raise awareness among the developer community of how to use these resources and gain their benefits.
The place where we most need help at this time is around our education efforts and EDU.SIG. Please take a look at our proposal and let us know if you have any feedback. We are particularly looking for people from an academic or teaching background, or who have experience with instructional design, who can help us best transform our content into concrete learnable courses. We’re also always looking for feedback on what type of training open source developers and maintainers would most benefit from.
We’d also love every instructor-led class we create to have a hands-on lab that a developer can go through to practice those skills. If you have coding experience, we’d love your help with developing more labs so that it’s easier for developers to learn the skills we teach. We’ve proposed a list of labs where we currently need help.
And that’s it! Learn more about the BEST WG, or get involved, on our GitHub page and stay tuned to learn more about the initiatives we are working on! We hold meetings every other Tuesday at 10am EST, and you are welcome to join our meetings and help with our initiatives.