This shows you the differences between two versions of the page.
|
development-guide [2013/02/12 20:53] coreycb created |
development-guide [2025/11/15 07:25] (current) davidcary add a few recommendations for secure development (with references) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Secure Open Source Software Development Guide ====== | + | ====== Secure OSS Development Guide ====== |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 5: | Line 6: | ||
| Welcome to the Secure OSS Development Guide. The goal of this wiki is to provide a list of best practices that are recommended for securely developing an open source project. | Welcome to the Secure OSS Development Guide. The goal of this wiki is to provide a list of best practices that are recommended for securely developing an open source project. | ||
| - | Note: This development guide is currently a work in progress. Any information provided on this wiki at this point should not be considered complete and will not necessarily be included in the final draft. | + | Note: This development guide is currently a work in progress. At this point the guide should not be considered complete, and current content will not necessarily be included in the final draft. |
| + | |||
| + | |||
| + | |||
| + | |||
| + | ===== Development Guide ===== | ||
| + | |||
| + | <under construction> | ||
| + | |||
| + | |||
| + | |||
| + | The [[Tools]] page has a long list of tools that can automate finding (some kinds of) security problems. | ||
| + | |||
| + | |||
| + | Many open-source projects have a suite of regression tests, | ||
| + | often run by typing ''make check'' or ''make test'' or ''make all'' from the command line. (See https://en.wikibooks.org/wiki/Make#make_check ). | ||
| + | |||
| + | |||
| + | Password hashing is one of the few Solved Problems in security. | ||
| + | Password hashing best practices: | ||
| + | |||
| + | * Store the password hash in PHC string format (which makes it *much* easier later to increase the "work factor" or switch hash functions completely): https://crypto.stackexchange.com/questions/117424/switching-hashing-from-bcrypt-to-argon2-in-a-springboot-applciation | ||
| + | * As of 2016, new software should use Argon2 for password hashing https://stackoverflow.com/questions/20186354/best-practice-of-hashing-passwords and https://security.stackexchange.com/questions/193351/in-2018-what-is-the-recommended-hash-to-store-passwords-bcrypt-scrypt-argon2 and https://crypto.stackexchange.com/questions/59797/authorities-on-password-hashing-best-practice | ||
| + | |||
| + | |||
| + | "CISA: America's Cyber Defence Agency" has made a number of recommendations to improve the security of software, including open-source software: | ||
| + | |||
| + | * "Cybersecurity Best Practices" https://www.cisa.gov/topics/cybersecurity-best-practices | ||
| + | * "Secure by Design Alert: Eliminating Buffer Overflow Vulnerabilities" https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities begins by recommending "Where feasible, use memory-safe languages when developing software -- to shift the burden of memory management from the developer to the programming language’s built-in safety features." | ||
| - | ===== Secure OSS Development Guide ===== | ||