Secure OSS Development Guide

Welcome to the Secure OSS Development Guide. The goal of this wiki is to provide a list of best practices that are recommended for securely developing an open source project.

Note: This development guide is currently a work in progress. At this point the guide should not be considered complete, and current content will not necessarily be included in the final draft.

<under construction>

The Tools page has a long list of tools that can automate finding (some kinds of) security problems.

Many open-source projects have a suite of regression tests, often run by typing make check or make test or make all from the command line. (See https://en.wikibooks.org/wiki/Make#make_check ).

Password hashing is one of the few Solved Problems in security. Password hashing best practices:

• Store the password hash in PHC string format (which makes it *much* easier later to increase the “work factor” or switch hash functions completely): https://crypto.stackexchange.com/questions/117424/switching-hashing-from-bcrypt-to-argon2-in-a-springboot-applciation
• As of 2016, new software should use Argon2 for password hashing https://stackoverflow.com/questions/20186354/best-practice-of-hashing-passwords and https://security.stackexchange.com/questions/193351/in-2018-what-is-the-recommended-hash-to-store-passwords-bcrypt-scrypt-argon2 and https://crypto.stackexchange.com/questions/59797/authorities-on-password-hashing-best-practice

“CISA: America's Cyber Defence Agency” has made a number of recommendations to improve the security of software, including open-source software:

• “Cybersecurity Best Practices” https://www.cisa.gov/topics/cybersecurity-best-practices
• “Secure by Design Alert: Eliminating Buffer Overflow Vulnerabilities” https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities begins by recommending “Where feasible, use memory-safe languages when developing software – to shift the burden of memory management from the developer to the programming language’s built-in safety features.”