By David A. Wheeler
This post summarizes key steps that software developers can take to improve software security. It is a text version of a talk given at Open Source Summit North America (OSS NA) 2024.
Software is under attack. Attackers are looking for vulnerabilities to exploit, and today that does not mean only directly exploiting unintentional vulnerabilities in production software. Attackers are also trying to divert software developers to the wrong software via typosquatting & dependency confusion attacks. Attackers are trying to take over developer accounts, and sometimes they even play long cons to try to gain trust and insert malicious code into software as authorized maintainers (as exemplified by the recently-discovered attack on xz). Unfortunately, this includes open source software (OSS) Supply chain attacks on OSS are increasing. It’s not just OSS; as the attack on SolarWinds’ Orion software revealed, attackers are also attacking the supply chains of closed source software.
So if you develop software, you must develop and release it to resist attack. You must also take reasonable precautions when bringing in software from the outside (whether or not it’s OSS). The good news is that the Open Source Security Foundation (OpenSSF) has materials to help you do that! In this post I’ll particularly focus on key points from two OpenSSF guides, which then point to other materials:
- “Concise Guide for Developing More Secure Software”
- “Concise Guide for Evaluating Open Source Software”
First, when developing software, here are a few key points:
- Protect your accounts! Ensure all privileged developers (such as those who can commit or accept changes) use multi-factor authentication (MFA) tokens. At least use more than passwords, and don’t reuse passwords across sites. Attackers are trying to take over privileged accounts.
- Learn about secure software development. The OpenSSF has a free course on the fundamentals of developing secure software called “Developing Secure Software” (LFD121). OpenSSF has other courses too, e.g., Securing Your Software Supply Chain with Sigstore (LFS182x).
