By Ashwin Ramaswami
Software security has continued to grow in importance. The Linux Foundation has undertaken various initiatives around open source software security, such as the Open Source Security Foundation (OpenSSF)—–a full list of initiatives is available on LF Security.
One of the most important steps toward ensuring that we can develop secure software is software security education. Software security is becoming increasingly emphasized, not only at the university level, but the professional level. As the nature of both the software ecosystem and security threats have continued to change and evolve over the years, the nature and content of security education must also change.
In that vein, we wanted to (re-)introduce you to LFD 121: Developing Secure Software, the Linux Foundation’s free course on secure software development fundamentals. This post will discuss a bird’s-eye view of the course and its topics; why every developer should take it; and how its material has continued to be updated and remain relevant.
Overview of the Course
The course material is self-paced and is split into three smaller courses:
Part I, Requirements, Design, and Reuse: This course introduces the basics of security and how to consider security requirements as part of software development. It also explains how to implement secure design principles that allow one to design software to be secure from the ground up; and, finally, how to secure your software supply chain by picking the right components and dependencies.
Part II, Implementation: This course focuses on key parts of implementation and practical steps to improve information security so that developers can counter the most common kinds of attacks. This includes input validation, processing data securely, calling out to other programs, sending output, and error handling.
Part III, Verification and More Specialized Topics: This course discusses how one can verify software to ensure its security, including static and dynamic analysis and how to apply these tools in CI/CD pipelines. It also discusses more specialized topics, such as threat modeling, fielding, and formal methods to justify that software is secure.
The course material is self-paced, and the entire course should take around 14-18 hours total.
Why Taking It?
LFD 121 equips developers with the right tools to build secure software. Whether a developer is just learning how to develop secure software for the first time, or an experienced developer who wants to keep up with the latest trends on security, this course can help address these issues. The course has quizzes and labs; that interactivity improves learning.
Users can learn from the course and receive a certificate of completion at no cost if you enroll via LFD121. The course material is also available on edX, for those who prefer edX; learning from edX is free, but its equivalent certificate of completion does have a fee.
The Future of Software Security
Software security threats are constantly evolving, and the contents of this course will evolve accordingly to the needs of the time. While software security fundamentals are broadly applicable and do not change, details do change, and the course is updated over time. The content of the course is also freely available on GitHub under a Creative Commons Attribution License (CC-BY) version 4.0. Please feel free to propose changes to the course by filing an issue or making a pull request.So, please consider taking this course today, and share your feedback – so that we have an open repository of great content. We encourage developers to get started today! See: LFD 121: Developing Secure Software