<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Begin Jekyll SEO tag v2.8.0 --> <title>For Software Developers | OpenSSF Best Practices Working Group</title> <meta name="generator" content="Jekyll v3.10.0" /> <meta property="og:title" content="For Software Developers" /> <meta name="author" content="Open Source Security Foundation (OpenSSF)" /> <meta property="og:locale" content="en_US" /> <meta name="description" content="The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers." /> <meta property="og:description" content="The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers." /> <link rel="canonical" href="https://best.openssf.org/developers.html" /> <meta property="og:url" content="https://best.openssf.org/developers.html" /> <meta property="og:site_name" content="OpenSSF Best Practices Working Group" /> <meta property="og:type" content="website" /> <meta name="twitter:card" content="summary" /> <meta property="twitter:title" content="For Software Developers" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","author":{"@type":"Person","name":"Open Source Security Foundation (OpenSSF)"},"description":"The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.","headline":"For Software Developers","url":"https://best.openssf.org/developers.html"}</script> <!-- End Jekyll SEO tag --> <link rel="stylesheet" href="/assets/css/style.css?v=06cc0e57766c527e50b3f4e94be1734ca7090932"> <!-- start custom head snippets, customize with your own _includes/head-custom.html file --> <!-- Setup Google Analytics --> <!-- You can set your favicon here --> <!-- link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" --> <!-- end custom head snippets --> </head> <body> <div class="container-lg px-3 my-5 markdown-body"> <h1 id="for-software-developers">For Software Developers</h1> <p><em>by the <a href="https://openssf.org">Open Source Security Foundation (OpenSSF)</a></em></p> <p>If you develop or build software, here are some ready-to-go resources from the OpenSSF to help you secure that software.</p> <h2 id="general-software-security-education">General software security education</h2> <ul> <li><a href="https://openssf.org/training/courses/">Secure Software Development Fundamentals Courses</a> - a <em>free</em> course for software developers focusing on the fundamentals of developing secure software, whether it’s open source software (OSS) or closed source software. Both the course and its certificate of completion are free from Linux Foundation Training.</li> </ul> <h2 id="general-guides-for-projects">General guides for projects</h2> <ul> <li><a href="https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software">Concise Guide for Developing More Secure Software</a> - a short “start here” page for how to develop secure software.</li> <li><a href="https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme">Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects</a> - we recommend OSS projects use this <em>before</em> you get a vulnerability report!</li> <li><a href="https://best.openssf.org/SCM-BestPractices/">Source Code Management Best Practices Guide</a> - Guide for securing and implementing best practices for SCM platforms, including GitHub and GitLab.</li> </ul> <p>You can also see the full list of <a href="https://openssf.org/resources/guides/">Guides released by the OpenSSF</a>.</p> <h2 id="oss-project-evaluation">OSS Project Evaluation</h2> <p>Use these to evaluate the OSS you intend to use <em>and</em> to evaluate how well your OSS projects are doing.</p> <ul> <li><a href="https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software">Concise Guide for Evaluating Open Source Software</a> - before you add a dependency, use this to help you evaluate it.</li> <li><a href="https://github.com/ossf/scorecard">Security Scorecard</a> is a tool that automatically scores OSS projects. Supports projects hosted by GitHub and GitLab. <ul> <li>You can add <a href="https://github.com/ossf/allstar">AllStar</a> to your OSS project, which will file an issue for Scorecard policy violations (you can configure what files an issue). See <a href="https://github.com/ossf/allstar#quickstart-installation">Allstar’s “Quickstart Installation” for more</a>.</li> </ul> </li> <li><a href="https://www.bestpractices.dev/">OpenSSF Best Practices badge</a> - This is a questionaire of security best practices, partly automation, that takes ~20 minutes. If you meet enough criteria your OSS project earns a badge!</li> <li><a href="https://github.com/ossf/security-reviews">Security Reviews</a> - collection of known security reviews of OSS projects.</li> </ul> <h2 id="build-protection">Build protection</h2> <ul> <li><a href="https://slsa.dev/">Supply-chain Levels for Software Artifacts, or SLSA (“salsa”)</a> is a checklist of standards and controls to prevent tampering, improve integrity, and secure packages. Its current focus is on protecting the build process.</li> </ul> <h2 id="specialized-guides">Specialized guides</h2> <p>As noted above, the <a href="https://openssf.org/resources/guides/">OpenSSF has many guides</a>. Here are some specialized guides:</p> <ul> <li><a href="https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md">npm Best Practices Guide</a></li> <li><a href="https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++">Compiler Options Hardening Guide for C and C++</a></li> </ul> <h2 id="sigstore-digital-signing">Sigstore (digital signing)</h2> <p>Sigstore is a new and simpler approach for artifact signing and signature verification.</p> <ul> <li><a href="https://github.com/sigstore/cosign">cosign</a> - tool for digitally signing artifacts.</li> <li><a href="https://openssf.org/training/securing-your-software-supply-chain-with-sigstore-course/">Securing Your Software Supply Chain with Sigstore Course</a></li> </ul> <h2 id="funding-of-oss-projects">Funding of OSS projects</h2> <ul> <li><a href="https://alpha-omega.dev/grants/how-to-apply/">Alpha-Omega</a> <ul> <li>The mission of Alpha-Omega is to protect society by improving the security of critical open source software through direct maintainer engagement and expert analysis. Through “Alpha”, we provide funding to maintainers intended to improve the project’s overall security quality. Eligible projects include standalone projects, foundations that cover many projects, and core ecosystem services. Their selection is informed by the work of the OpenSSF Securing Critical Projects working group and other sources, discussion with the project team, and the degree of impact funding would have.</li> </ul> </li> <li><a href="https://www.opentech.fund/funds/free-and-open-source-software-sustainability-fund/">Open Technology Fund</a> <ul> <li>The Free and Open Source Software (FOSS) Sustainability Fund is Open Technology Fund’s newest mechanism to support the long-term maintenance of established FOSS projects and the communities that sustain them.</li> </ul> </li> <li><a href="https://www.sovereigntechfund.de/programs">Sovereign Tech Fund</a> <ul> <li>The Sovereign Tech Fund is currently active in three program areas: general funding for open source digital infrastructure, the Bug Resilience Program, and the Contribute Back Challenges</li> </ul> </li> </ul> <h2 id="for-more-information-about-the-openssf">For more information about the OpenSSF</h2> <p>To learn more about the OpenSSF, please see the <a href="https://openssf.org">main OpenSSF website</a>. From this website you can get information such as:</p> <ul> <li><a href="https://openssf.org/townhalls/">Town Hall meetings</a>, where we give brief updates. Consider watching a recording to learn what’s going on.</li> <li><a href="https://openssf.org/blog/">OpenSSF blog</a></li> <li><a href="https://openssf.org/events/">Upcoming Events</a></li> <li><a href="https://openssf.org/news/">OpenSSF press releases</a></li> <li><a href="https://calendar.google.com/calendar/u/0?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ">Public event calendar</a>.</li> </ul> <h2 id="getting-involved-in-the-openssf">Getting involved in the OpenSSF</h2> <p>If you’re interested in helping us improve the security (including the supply chain security) of open source software, <a href="https://openssf.org/getinvolved/">please get involved in the OpenSSF</a>.</p> <p>A good starting point would be to look at our <a href="https://openssf.org/community/openssf-working-groups/">list of OpenSSF working groups (WGs)</a> to see what would interest you. You can click on its GitHub page to learn more about what they do and when they meet by video; you can also join their Slack channel and mailing list to participate in what they’re doing.</p> <p>You can <a href="https://openssf.org/getinvolved/">get involved with the OpenSSF in many ways</a>. We would love to work together.</p> <div class="footer border-top border-gray-light mt-5 pt-3 text-right text-gray"> This site is open source. <a href="https://github.com/ossf/wg-best-practices-os-developers/edit/main/docs/developers.md">Improve this page</a>. </div> </div> <script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/4.1.0/anchor.min.js" integrity="sha256-lZaRhKri35AyJSypXXs4o6OPFTbTmUoltBbDCbdzegg=" crossorigin="anonymous"></script> <script>anchors.add();</script> </body> </html>