Securing an open-source project requires a lot of effort and knowledge. It also requires a strategic plan and an ability to execute. The below article is intended to help you develop that plan. With that in mind, below are 6 best practices to secure an open-source project from start to finish. 

Hire the right IT experts

Bringing the right people on board for your open source projects should be your first step if you don't already have the in-house human capital. A security team with little understanding of the architecture behind your project, as well as an open-source community without any security background, can easily lead to severe vulnerabilities.

Make sure you thoroughly vet candidates to make sure they have the right skills for the job. Testing the candidate's knowledge in a real-life situation is worth more than checking their qualifications. An expert in Linux security who has never heard of Apache Struts shouldn't be your first choice, even if they have all the paper qualifications.

Choose a secure password and don't share it with anyone

Password protection is the foundation of the security of every open source project. Keep your password private. Never use a publicly available password. Assume that someone is always watching you, trying to get access to your passwords. You can make your passwords more secure by using a password manager that will provide you with strong passwords.

Don't give strangers access to your open source project. When someone asks for access, always validate who they are and their motivation. Beware of the risks associated when allowing external users (i.e., not part of your development team) to have access to your projects' repositories or bug trackers. When in doubt, deny the access.

Use a code signing certificate to sign your releases

Code signing certificates are digitally signed security credentials that you can use to sign executables and scripts containing your software's cryptographic key. These digital signatures ensure that the file has not been modified since it was signed by your private key and is coming from you.

You should also use SSH to access your code repositories. When using the Git or Subversion source control management system, always use SSH to access your repositories. This will force you to use a key-based authentication and prevent brute-force attacks.

You can also configure your SSH client to lock your sessions after a few minutes of inactivity. Don't forget to back up your code. Think about how much time and effort you have put into creating your project. Now, imagine that someone deleted it from source control or that all your work is gone because of a disk drive failure. Make sure that you always have a backup or at least a copy of your code stored in a safe place.

Set up a security vulnerability reporting process

It is vitally important that you have a documented process for handling security reports. This is of paramount importance if you have dependencies on other open-source projects. Always check your project's code on GitLab, and keep an eye out for commits and comments from the maintainers of libraries that you use (i.e., jQuery) to see if they've released an update with a fix.

When someone submits a security vulnerability, follow the tutorial to inform them about your process. Your reporting process is basically a contract between you and the person who found a vulnerability. When someone reports a security issue to your project, they might be giving up their legal rights in exchange for your adherence to this process. This means that if you don't follow the policy, it could be considered an act of bad faith.

Encrypt sensitive data in your repositories

Having your sensitive data encrypted ensures that nobody will be able to read it without your password. You can encrypt any file within Git using GPG, providing you with the option of having different passwords for different files. This way, if one is compromised, all other information remains secure.

Encryption is a requirement for any sensitive security project, as it prevents attackers from obtaining the credentials they need to exploit your code. A tool like Git LFS can help you store big files without compromising on security.

Regularly audit your code for security vulnerabilities

Using static analysis tools is the best way to have automated audits of your code. They are able to detect common vulnerabilities without requiring manual intervention. You can configure them to run automatically on every new commit or pull request using Git hooks. This ensures that whenever someone creates a new branch for a feature set, all of the branches in your repository are checked for security vulnerabilities.

An example of a tool that can help you with this is Git Assassin. It comes with the following features: A policy engine for defining exactly what changes are allowed in which branches, Excluding/including specific files based on regex matches, Automatic issue reporting on all violations detected.

Secure your Business Emails with Email security solution

Inadequately secured email accounts provide cyber attackers with an open door into your business - frequently resulting in the compromise of sensitive data, lost productivity and serious reputation damage. Having an effective email security strategy in place is vital in keeping your business safe and successful - both while navigating this difficult, uncertain time, and while recovering from the COVID-19 crisis. It has become more apparent than ever that securing email should be a top priority for all businesses.

Conclusion 

A secure open-source project is a successful open source project. There are plenty of things you can do to make sure your project is well protected, but the above is undoubtedly the foundation of any secure open-source initiative. 

Latest Content

Other FAQs

Recommended Reading