Awesome
Best Practices for Open Source Developers
Anyone is welcome to join our open discussions related to the group's mission and charter.
The BEST Working group is officially a Graduated-level working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">>
<img align="right" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/ossf-best-goose.png" width="300" height="300">Mission
Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them.
We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.
Vision
- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified.
- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types.
- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.
Scope
The Developer Best Practices group wants to help identify and curate an accessible inventory of best practices
- Prioritized according to ROI for open source developers
- Categorized per technology, language, framework
- Community-curated
Strategy
To achieve our Mission and Vision, the BEST Working group will execute on the following strategy:
- Collaborate with security experts to draft a comprehensive set of best practices tailored for open-source projects.
- Identify gaps in tools and resources that provide opportunities to promote and implement secure development practices.
- Evangelize and drive adoption of our artifacts (ex: guides, trainings, tools) through community outreach and targeted maintainer engagement.
- Collaborate with other OpenSSF and open source efforts to provide comprehensive guidance, advice, and tooling for software developers and open source software consumers to use, implement, and evaluate the security qualities of software.
Roadmap
To deliver on our Strategy, the BEST Working Group will do the following:
- Evangelize OpenSSF “best practices” and tooling through blogs, podcasts, conference presentations, and the like. -- Create a “Secure from the (open) source” expert podcast to showcase the work across the foundation. -- As new guides/best practices are launched, we will create blogs and a conference presentation to raise awareness about it. -- Amplify talks and artifacts created by other groups within the foundation -- Create 3 EvilTux artifacts each quarter
- Create express learning classes for our body of work: working group explainer, SCM BP Guide, C/C++ Guide, Scorecard/Badges, Concise Guides
- Create a “Best Practices Member Badge” for member organizations
- Support and promote our sub-projects with contributions and feedback - Scorecard, BP Badges, OpenSSF - SkillFoundry, Classes, and Guides, Secure Software Guiding Principles (SSGP)
- Create a Memory Safety W3C-style workshop to assemble development leaders to talk about how to integrate memory safe languages and techniques more deeply into the oss ecosystem.
- Expand DEI AMA Office Hours to more broadly engage new-to-oss individuals and provide a forum for mentorship and guidance as they launch into and grow within their careers.
- Identify, curate, produce, and deliver new secure development education such as Developer Manager Training, Implementing/Integrating OSSF tools such as Scorecard, Badges, OSV, OpenVEX, etc), advanced secure development techniques, and more.
- Evangelize and embed all of our guides across OpenSSF Technical Initiatives and understand what makes sense to integrate into Scorecard
Help build a community
- Program to attract open source contributors and incentivize them to use and contribute to the inventory
Supply a Learning platform -Any free course can be integrated into the platform
- The learner can follow a track, track their progress and get badges
- A suite of exercises are available for each best practice of the inventory
Current Work
We welcome contributions, suggestions and updates to our projects. To contribute please fill in an issue or create a pull request.
We typically use the Simplest Possible Process (SPP) to publish and maintain the documents we publish; see the SPP documentation if you have questions about it.
Our work is organized into several discrete-yet-related projects that help us achieve our goals:
| Effort | Description | Git Repo | Slack Channel | Mailing List |
|---|---|---|---|---|
| Best Practices Guides | Longer reference documents on implementing specific secure techniques | - Compiler Annotations for C and C++ (incubating), </p> - Compiler Options Hardening Guide for C and C++, </p> - Existing Guidelines for Developing and Distributing Secure Software, </p> - Package Manager Best Practices (incubating), </p> - npm Best Practices Guide, </p> - Source Code Management Platform Configuration Best Practices, </p> - Secure Coding Guide for Python, | SCM Slack | |
| Concise Guides SIGs | Quick Guidance around Open Source Software Develpment Good Practices | - Concise Guide for Developing More Secure Software, </p> - Concise Guide for Evaluating Open Source Software | Mailing List | |
| Education SIG - (incubating) | To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security. | EDU.SIG | stream-01-security-education | Mailing List |
| OpenSSF Best Practices Badge - formerly CII Best Practices badge | Identifies FLOSS best practices & implements a badging system for those practices, | |||
| OpenSSF Scorecard | Automate analysis on the security posture of open source projects | OpenSSF Scorecard | #scorecard | Contribute! |
| OpenSSF Scorecard — Allstar | Monitors GitHub organizations or repositories for adherence to security best practices | Allstar | #allstar | Contribute! |
| OpenSSF Security Baseline | Provide avenue for particpants to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects | OpenSSF Security Baseline | #sig-security-baseline | Mailing List |
| Secure Software Development Fundamentals - online course | Teach software developers fundamentals of developing secure software | GitHub | ||
| Memory Safety SIG | The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. | Git Repo | Slack | Mailing List |
| The Security Toolbelt | Assemble a “sterling” collection of capabilities (software frameworks, specifications, and human and automated processes) that work together to automatically list, scan, remediate, and secure the components flowing through the software supply chain that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an interoperable link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems. | Security Toolbelt | security-toolbelt | Mailing List |
| Python Hardening Guide SIG | A group working to document a secure coding guide for python and associates code examples | Git Repo | Slack | Mailing List |
Related resources
Past Work/Greatest Hits
- Interactive artwork - (incubating) https://github.com/blabla1337/wg-best-practices-os-developers/tree/main/infinity2
- Place where we want to guide developers in what stage they can use what type of tooling or approach. We have tons of great tools and materials but hard to find for devs, using this page and interactive loop we want to guide them to find the right stuff.
- Great MFA Distribution Project - (archived) https://github.com/ossf/great-mfa-project
- Distribute MFA tokens to OSS developers and best practices on how to easily use them
- Recommended compiler option flags for C/C++ programs.
Related Activities
There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore:
- SLSA Supply-chain Levels for Software Artifacts - https://github.com/slsa-framework/slsa
- Purpose - A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity
Quick Start
Areas that need contributions
- Any topics related to helping developers more easily make more secure software or consumers to better understand the security qualities of the software they wish to ingest
Where to file issues
- Issues can be reviewed and filed here
Get Involved
Anyone is welcome to join our open discussions related to the group's mission and charter.
- 2024 Meeting Notes
- 2023 Meeting Notes
- 2022 Meeting Minutes
- Historic Group Notes 1
- Historic Notes 2021
- Recent WG report to the TAC on activities and project statuses
- Discussions
- Official communications occur on the Best Practices mailing list
- Manage your subscriptions to Open SSF mailing lists
- Join the conversation on Slack
Meeting Times
Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the public OSSF calendar
| Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List |
|---|---|---|---|---|---|
| Full WG | Every two weeks, Tuesday 7:00a PT/10:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| C/C++ Compiler Hardening Options | Every two weeks, Thursday 6:00a PT/9:00a ET/1300 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| EDU.SIG | Every 2 weeks, Wednesday 6:00a PT/9:00a ET/1400 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Memory Safety SIG | Every 2 weeks, Thursday 10:00a PT/1:00p ET/1500 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Scorecard | Every 2 weeks, Thursday 1:00p PT/4:00p ET/1800 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
| Security Baseline | Every other Tuesday @ 10:00am EST | Meeting Minutes | Git Repo | Slack Channel | Mailing List |
| Python Hardening Guide SIG | Every two weeks, Monday 11AM ET | Meeting Notes | Git Repo | Slack | Mailing List |
| EDU.SIG - Course Content Collab | Every week, Monday 1PM ET | Meeting Notes | Git Repo | Slack | Mailing List |
Meeting Notes
Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Governance
The CHARTER.md outlines the scope and governance of our group activities.
- Lead - Christopher "CRob" Robinson
- Co-Lead - Randall T. Vasquez*, The Linux Foundation
- Backlog Warden -
- "*" denotes a project/SIG lead
Project Maintainers
- Christopher "CRob" Robinson*, Intel
- David A Wheeler, LF/OSSF
- Dave Russo*, Red Hat
- Randall T. Vasquez*, The Linux Foundation
Project Collaborators
- Arnaud J Le Hors, IBM
- Avishay Balter, Microsoft
- Christine Abernathy*, F5
- Daniel Applequist*, Snyk
- Georg Kunz, Ericsson
- Glenn ten Cate*, OWASP/SKF
- Jay White, Microsoft
- Jonathan Leitschuh*, Dan Kaminsky Fellowship @ Human Security
- Judy Kelly, Red Hat
- Marta Rybczynska, Syslinbit
- Noam Dotan, Legit Security
- Roberth Strand, Amesto Fortytwo / Cloud Native Norway
- Sal Kimmich, EscherCloud
- Thomas Nyman*, Ericsson
- Yotam Perkal, Rezilion
Project Contributors
- Chris de Almeida, IBM
- Jeffrey Borek, IBM
- Ixchel Ruiz, jfrog
- Laurent Simon*, Google/Scorecard
- Matt Rutkowski, IBM
- Riccardo ten Cate, SKF
- Spyros Gasteratos*, OWASP/CRE
Toolbelt Collaborators
- Andrea Frittoli, IBM
- Arnaud Le Hors, IBM
- Behan Webster, The Linux Foundation
- Brandon Mitchell, IBM
- Brian Behlendorf, The Linux Foundation
- Brian Wagner, IBM
- Christopher "CRob" Robinson, Intel
- Daniel Appelquist, Samsung
- David A Wheeler, LF/OSSF
- Georg Kunz, Ericsson
- Jacques Chester, independent
- Jay White, Microsoft
- Jeff Borek, IBM
- Jon Meadows, Citi
- Josh Clements, Analog Devices
- Joshua Lock, Verizon
- Kris Borchers, independent
- Marcela Melara, Intel
- Matt Rutkowski, IBM
- Melba Lopez, IBM
- Michael Leiberman, Kusari
- Phil Estes, AWS
- Ryan Ware, Intel
- Sal Kimmich, EscherCloud AI
- Sarah Evans, Dell
- Steve Taylor, Deployhub/Ortelius/Pyrsia
- Tom Hennen, Google
- Tracy Ragan, Deployhub/Ortelius/CDEvents
A listing of our current and past group members.
Licenses
Unless otherwise specifically noted, software released by this working group is released under the Apache 2.0 license, and documentation is released under the CC-BY-4.0 license. Formal specifications would be licensed under the Community Specification License (though at this time we don't have any examples of that).
Charter
Like all OpenSSF working groups, this working group reports to the OpenSSF Technical Advisory Council (TAC). For more organizational information, see the OpenSSF Charter.
Antitrust Policy Notice
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.