The Open Source Security Foundation (OpenSSF) has just released its 2024 plan to improve software developer education, titled “Plan for Improving Software Developer Security Education”. This is the plan the OpenSSF Education Special Interest Group (SIG) intends to follow this year.
The plan first shows that secure software development education is needed. Many governments have collectively stated that software should be secure by design and by default (see Secure by Design). However, software developers typically do not know how to develop secure software, since they normally never receive education nor training in how to develop secure software. We believe one of the most effective ways to improve the long-term overall security of software is education and awareness. This training always travels with a developer as they interact with all phases of their software development lifecycle. Automation and tooling are also necessary, but their effectiveness depends on the knowledge of their user.
The plan then summarizes the current state of related educational materials, as well as briefly discussing the context of earlier OpenSSF education efforts. We wanted to ensure we learned from other efforts and didn’t duplicate existing work.
The plan then identifies three focus areas for 2024:
- Improve the current OpenSSF course on the fundamentals of developing secure software. The current course is already popular, free, and highly regarded. However, it lacks optional labs, and there are requests to increase its use of multimedia. These improvements can help everyone. We intend to develop a few optional labs to verify the approach, then develop more as a community once the approach has been agreed on.
- Create a new short course for managers who supervise developers. This course would explain what managers should be expecting their developers to do to develop secure software, so they can adequately hire, acquire training for, manage, and fire. Managers can enable or prevent the necessary steps to develop secure software, so this is an important enabler. We plan to develop this course based on materials contributed by Intel.
- Create a new intermediate-level (“201”) course to go deeper into a specific area. This would be a more focused course designed to follow on from the fundamentals course. We will first survey to identify the most important areas to cover, so that we can select an area using a data-driven approach.
The OpenSSF focuses on securing open source software (OSS), but in most cases the educational needs are the same for developers of both open source and closed source software. Attackers often don’t care what the licenses are in use; they simply want to exploit software. Thus, we believe that these materials will be helpful across the software industry.
Like any plan, we expect that we will adjust things as we do the work, get feedback, and collaborate. This plan also doesn’t exclude other ideas and educational efforts if contributors arise and agree to do the work. For example, at the time of this writing, there is a discussion in the OpenSSF Education SIG about defining minimum requirements for secure software development education (e.g., in colleges and universities).
Please complete our survey on software development education; it will help us know what specifics to address.
We welcome contributions from anyone interested in helping improve the state of education and guidance related to software development. If you are interested, please join the OpenSSF Education Special Interest Group (SIG) via its alternate-weekly meetings, mailing list, and Slack channel. We can do much more together than by ourselves.