Best Practices for Open Source Developers
Anyone is welcome to join our open discussions related to the group's mission and charter.
Objective
Our objective is to provide open source developers with best practices recommendations, and with an easy way to learn and apply them.
Unlike other existing best practices list, we want it to be widely distributed to open source developers and community-sourced. And we want these practices to stick, thanks to an effective learning platform.
Vision
Our vision is to make it easy for developers to adopt these best practices, thanks to:
- Identifying good practices, requirements, and tools that help open source developers create and maintain more secure software
- Helping maintainers Learn to write secure software
- Provide tools to help developers Adopt these good practices into their daily work
Scope
The Developer Best Practices group wants to help identify and curate an accessible inventory of best practices
- Prioritized according to ROI for open source developers
- Categorized per technology, language, framework
- Community-curated
Help build a community
- Program to attract open source contributors and incentivize them to use and contribute to the inventory
Supply a Learning platform -Any free course can be integrated into the platform
- The learner can follow a track, track their progress and get badges
- A suite of exercises are available for each best practice of the inventory
Current Work
Our work is organized into several discrete-yet-related projects that help us achieve our goals:
-
Concise guides for (1) developing software and (2) evaluating OSS (sandbox)
-
Common Requirement Enumeration (CRE) Project - (incubating) https://www.opencre.org/
- Purpose - (Identify) Identify similar requirements in different specifications
-
Secure Software Development Fundamentals (online course) - https://openssf.org/training/courses/ and https://github.com/ossf/secure-sw-dev-fundamentals
- Purpose - (Learn) Teach software developers fundamentals of developing secure software
-
SKF - Security Knowledge Framework - https://www.securityknowledgeframework.org/
- Purpose - (Identify/Adopt/Learn) Learn to integrate security by design in your web application
-
OpenSSF Best Practices Badge (formerly CII Best Practices badge) - https://bestpractices.coreinfrastructure.org/ and https://github.com/coreinfrastructure/best-practices-badge
- Purpose - (Identify/Adopt) Identifies FLOSS best practices & implements a badging system for those practices,
-
OpenSSF Scorecard Project - https://github.com/ossf/scorecard
- Purpose - (Adopt) Automate analysis and trust decisions on the security posture of open source projects.
-
Great MFA Distribution Project - (incubating) https://github.com/ossf/great-mfa-project
- Distribute MFA tokens to OSS developers and best practices on how to easily use them
-
Compiler Options Hardening Guide for C and C++ (incubating, editable version)
- Recommended compiler option flags for C/C++ programs, especially warning and hardening flags, for developers & distributionss. You can also see our older work, Recommended compiler option flags for C/C++ programs.
-
Interactive artwork - (incubating) https://github.com/blabla1337/wg-best-practices-os-developers/tree/main/infinity2
- Place where we want to guide developers in what stage they can use what type of tooling or approach. We have tons of great tools and materials but hard to find for devs, using this page and interactive loop we want to guide them to find the right stuff.
-
Existing Guidelines for Developing and Distributing Secure Software GitHub Repo
- Purpose - (Identify) - Highlight documentation and training materials that educate OSS developers on good secure coding practices
-
Package Manager Best Practices - (incubating) - https://github.com/ossf/package-manager-best-practices
- Purpose - (Identify/Learn) Collect and document security best practices for projects using various package managers.
-
npm Best Practices Guide - This document aims to be a one-time stop explaining the security supply-chain best practices when using npm's package manager.
- Purpose - (Identify/Learn) Collect and document security best practices for projects npm.
-
Education SIG - (incubating) - https://github.com/ossf/education/
- Purpose - (Learn) To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security.
We welcome contributions, suggestions and updates to our projects. To contribute please fill in an issue or create a pull request.
Related Activities
There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore:
- SLSA Supply-chain Levels for Software Artifacts - https://github.com/slsa-framework/slsa
- Purpose - A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity
Quick Start
Areas that need contributions
- Any topics related to helping developers more easily make more secure software or consumers to better understand the security qualities of the software they wish to ingest
Where to file issues
- Issues can be reviewed and filed here
Get Involved
Anyone is welcome to join our open discussions related to the group's mission and charter.
- 2023 Meeting Notes
- 2022 Meeting Minutes
- Historic Group Notes 1
- Historic Notes 2021
- Recent WG report to the TAC on activities and project statuses
- Discussions
- Official communications occur on the Best Practices mailing list
- Manage your subscriptions to Open SSF mailing lists
- Join the conversation on Slack
Meeting Times
Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the public OSSF calendar
| Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List |
|---|---|---|---|---|---|
| Full WG | Every 2nd Tuesday 7:00a PT/10:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Concise Guides - C/C++ Compiler Hardening Options | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Concise Guides - Source Code Management Best Practices | Occurs every 2nd Thursday 7:00a PT/10:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| EDU.SIG | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| EDU.SIG - DEI Subcommittee | Occurs every 2nd Tuesday 8:00a PT/11:00a ET/1600 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Memory Safety SIG | Every 2nd Thursday 10:00a PT/1:00p ET/1500 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Scorecard | Occurs every 2nd Thursday 1:00p PT/4:00p ET/1800 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Security Knowledge Framework - SKF | TBD | Meeting Notes | Git Repo | Slack | Mailing List |
Meeting Notes
Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Governance
The CHARTER.md outlines the scope and governance of our group activities.
- Lead - Christopher "CRob" Robinson
- Co-Lead - Xavier René-Corail
- "*" denotes a project/SIG lead
Project Maintainers
- Christopher "CRob" Robinson*, Intel
- Xavier René-Corail, GitHub
- David A Wheeler, LF/OSSF
- Dave Russo*, Red Hat
Project Collaborators
- Christine Abernathy*, F5
- Daniel Applequist*, Snyk
- Avishay Balter, Microsoft
- Jeffrey Borek, IBM
- VM Brasseur, WiPro
- Glenn ten Cate*, OWASP/SKF
- Judy Kelly, Red Hat
- Georg Kunz, Ericsson
- Arnaud J Le Hors, IBM
- Matt Rutkowski, IBM
- Marta Rybczynska, Syslinbit
- Yotam Perkal, Rezilion
- Eric Tice, WiPro
- Randall T. Vasquez*, Gentoo/Homebrew
- Jay White, Microsoft
Project Contributors
- Aeva Black, Microsoft
- Jory Burson, Linux Foundation
- Rosaria Carr, Indeed
- Riccardo ten Cate, SKF
- Spyros Gasteratos*, OWASP/CRE
- Sami Guirguis, TELUS
- Jonathan Leitschuh*, Dan Kaminsky Fellowship @ Human Security
- Jeff Mendoza, Google
- Kara Olive, Google
- Laurent Simon*, Google/Scorecard
- Azeem Shaikh*, Google/Scorecard
- Harimohan Rajamohanan, Wipro
- Ixchel Ruiz, jfrog
- Patricia Tarro, Dell
- Thomas Nyman*, Ericsson
- Noam Dotan, Legit Security
Licenses
Unless otherwise specifically noted, software released by this working group is released under the Apache 2.0 license, and documentation is released under the CC-BY-4.0 license. Formal specifications would be licensed under the Community Specification License (though at this time we don't have any examples of that).
Charter
Like all OpenSSF working groups, this working group reports to the OpenSSF Technical Advisory Council (TAC). For more organizational information, see the OpenSSF Charter.
Antitrust Policy Notice
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.