JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 45

A Brief Introduction to Developing Secure Software

David A. Wheeler

Director of Open Source Supply Chain Security,

OpenSSF, The Linux Foundation

2 of 45

Meet Your Instructor

David A. Wheeler

PhD in Information Technology, MS in Computer Science, BS in Electronics Engineering, Certified Information Systems Security Professional (CISSP), Senior Member of Institute of Electrical and Electronics Engineers (IEEE)

David A. Wheeler

Director of Open Source Software Supply Chain Security, The Linux Foundation�Adjunct Professor, George Mason University

3 of 45

Developing Secure Software (LFD121)

Free course, ~16 hours, with 3 parts:

Requirements, Design, and Reuse
Implementation
Verification and Specialized Topics

Teaches fundamentals of developing secure software (OSS or Closed Source)
Includes optional hands-on labs
Free certificate via LF Training�(evidence you learned the material)
https://openssf.org/training/courses

This presentation presents highlights

4 of 45

Outline

Security Basics
(Architectural) Design
Reusing Existing Software
Implementation

Input, processing, calling other programs, output

Verification (including tools & testing)
Other: Cryptography, Vulnerability Disclosures

5 of 45

Security Basics

Security = Confidentiality, Integrity, & Availability
Risk Management: Nothing is risk-free. Manage risks

Risk = likelihood + impact

Need Protect (Identify & Protect), Detect, and Respond (Respond & Recover)
Requirements

EU Cyber Resilience Act (CRA) (free course LFEL1001)

6 of 45

Design

(Architectural) Design = a program’s top-level structure

The software components (and their relationships) to solve the problem

Least privilege: Each user/program should have fewest privileges possible
Open design: Don’t depend on attacker ignorance
Non-bypassable: Security checks must not be bypassable (server-side check)
Easy to use: If it’s hard to use, users will bypass the security mechanism
Harden system: Reduce likelihood that a single mistake is a vulnerability
Release as secure by default

7 of 45

Reusing Existing Software (including OSS)

Are you using the intended version?

Counter typosquatting & dependency confusion attacks

Is it maintained?
Is there evidence that its developers work to make it secure?
Is it easy to use securely?
See more in “Concise Guide for Evaluating Open Source Software”

best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software

8 of 45

Implementation

Most vulnerabilities are common mistakes
Learn what they are & how to avoid them
Two helpful lists:

OWASP Top 10 (for web apps)
CWE Top 25

9 of 45

Implementation: Input

Identify all inputs from potentially untrusted users
Validate all those inputs using an “allowlist” pattern, not a denylist

Give a picky pattern of what’s allowed; forbid everything else
A denylist requires you to predict all possible attacks - bad idea!
“Must be integer 1..100”
Regular expressions are often useful for this; match whole string

Regexes differ between languages (whole string ^...$, ^...\Z, \A…\z)

Ensure input checks are non-bypassable (don’t run on attacker’s computer!)

10 of 45

Implementation: Process data

Avoid Default & Hardcoded Credentials
Avoid Incorrect (Type) Conversion or Cast
Memory safety is critical, use a memory-safe language if practical

In many organizations ~70% vulnerabilities from memory unsafe practices

If you must use a memory-unsafe language (C/C++), take steps to reduce risk

Code to counter buffer overflow, use-after-free, double-free, etc.
Use compiler options to reduce risk

11 of 45

Implementation: Call out to other programs

Try to avoid eval(), exec(), execute(), system(), etc. - easily misused
Create SQL commands with parameterized statements - not concatenation

Can do this with prepared statements & correctly-implemented ORMs
"select * from authors where lastname = ?" … note the “?” parameter

OS shell injection: Avoid calling the shell directly when it’s not necessary
Use only documented APIs & check return results
Log security-relevant events (login, logout, etc.)

12 of 45

Implementation: Output

In web applications:

Use frameworks with template engines that escape by default

Counter Cross-site scripting (XSS); if it’s not the default, it’s too hard to get right

Content Security Policy (CSP) - forbid inline JavaScript & CSS in HTML
Use HTTP hardening headers

Don’t let attackers control format string parameter, e.g., printf(PARAM, …)

13 of 45

Verification

Use tools to find bugs/vulnerabilities!

Linters/style checkers (avoid likely problems, simplify code)
Static application security testing (SAST)
Dynamic analysis tools (e.g., fuzzers & web application scanners)
Software Composition Analysis (SCA) (for vulnerable dependencies)
Secret scanning

Be prepared for false+ and false-
Have a good automated test suite, good coverage, including negative tests

See OpenSSF’s “Guide to Security Tools”

14 of 45

Other: Cryptography, vulnerability disclosures

Cryptography

Never develop your own cryptographic algorithm or protocol
Never implement your cryptographic algorithms or protocols
Ensure what you choose is strong & configured correctly (not ECB mode!)

Vulnerability Disclosures

Make it clear how to report vulnerabilities & be ready for them

15 of 45

On using AI/ML to write code

AI/ML-generated code is often insecure

Trained on vulnerable code
Lacks context
LLMs hallucinate (e.g., slopsquatting)

Users more llikely to believe that generated code secure [Perry]
When using AI/ML to generate code:

Trust the AI less & engage more (e.g., re-phrasing)
Carefully check its output!!
Requires you to know about security; education more necessary now

16 of 45

To learn more, take our free course LFD121!

https://training.linuxfoundation.org/training/developing-secure-software-lfd121/

17 of 45

Ways to Participate in OpenSSF

Join a Working Group/Project

Come to a Meeting (see Public Calendar)

Collaborate on Slack

Contribute on GitHub

Become an Organizational Member

Keep up to date by subscribing to the�OpenSSF Mailing List

18 of 45

Thank You

19 of 45

Legal Notice

Copyright © Open Source Security Foundation®, The Linux Foundation®, & their contributors. The Linux Foundation has registered trademarks and uses trademarks. All other trademarks are those of their respective owners.

Per the OpenSSF Charter, this presentation is released under the Creative Commons Attribution 4.0 International License (CC-BY-4.0), available at <https://creativecommons.org/licenses/by/4.0/>. You are free to:

Share — copy and redistribute the material in any medium or format for any purpose, even commercially.
Adapt — remix, transform, and build upon the material for any purpose, even commercially.

The licensor cannot revoke these freedoms as long as you follow the license terms:

Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

20 of 45

Appendix

21 of 45

22 of 45

23 of 45

24 of 45

25 of 45

26 of 45

27 of 45

28 of 45

	Heading 1
Row 1

29 of 45

30 of 45

31 of 45

32 of 45

33 of 45

34 of 45

35 of 45

36 of 45

Engage with

us on social media

X�@openssf

LinkedIn�OpenSSF

Mastodon�social.lfx.dev/@openssf

YouTube�OpenSSF

Facebook�OpenSSF

37 of 45

Subscribe to our mailing list

openssf.org/sign-up

38 of 45

Is your organization a member?

Questions? Contact membership@openssf.org

openssf.org/join

39 of 45

Elements

Table

	Heading 1
Row 1

40 of 45

Member Benefits: Premier

Q1	Q2	Q3	Q4
Hold one (1) guaranteed seat on the OpenSSF Governing Board + one alternate (1) representative.	Receive greater insight into OpenSSF strategy and projects through engagement with the OpenSSF leadership team.	Enjoy the most prominent placement in displays of membership, including website, landscape, and marketing materials.	Opportunity to host a security training course, Developing Secure Software (LFD121), on member’s Learning Management System (LMS) for unlimited, complimentary access for employees.
Appoint one (1) voting representative in any subcommittees or activities of the OpenSSF Governing Board.	Premier level members have the unique opportunity to customize their experience with OpenSSF. The team will make themselves available to help achieve your strategic goals.	Case Studies.	50-seat, annual subscription granting access to our library of eLearning courses and certification exams. Each seat gets access to up to two certification exams per year along with unlimited learning. (Benefit requires a signed MSA for training).
Set number of free registration tickets to events depending on membership level. Keynote slots at events.	OpenSSF can help with guidance in open source contributions, new market creation, and/or open source project donation. Have ideas? Just ask!	Feature your organization in the quarterly new members announcement. Visibility into and within the ecosystem.	Run a local event (e.g., Kubernetes Community Days).
Participate in the OpenSSF tech talk to discuss how your company can contribute.	Lottery for highest sponsorship level.		Ambassador Program.
Create an individualized press release upon membership announcement with the PR team.	Job Board listing opportunities.		Early access to annual reports.
Webinars or blog postings.			Amplification in Social Media posts.
			Provide predictions for media outreach.

41 of 45

Member Benefits: General

Q1	Q2	Q3	Q4
Participate in elections between only other General members to appoint one (1) representative to the OpenSSF Governing Board. Three (3) total General representatives will be elected to represent all General members. Voice your opinions amongst the leaders in the industry and help determine the strategic direction of OpenSSF. Participate to the OpenSSF tech talk to discuss how your company can contribute.	Receive greater insight into OpenSSF strategy and project roadmaps through increased engagement with the OpenSSF General Manager and staff.	Participate in Marketing, Community, Thought Leadership opportunities. Opportunity to host “OpenSSF Day”, including on-demand webinars and livestream.	Receive discounts on OpenSSF event sponsorships. Demonstrate your support for OpenSSF by displaying your logo on the OpenSSF website, landscape, and in marketing materials. Provide prediction for media outreach.
Identify your organization as a member and display your logo on the OpenSSF website, landscape and in marketing materials.	Create an announcement upon membership announcement with the OpenSSF PR team.

42 of 45

Member Benefits: Associate

Q1	Q2	Q3	Q4
Participate in Marketing, Community, and Thought Leadership opportunities. Identify your organization as a member and display your logo on the OpenSSF website, landscape, and in marketing materials. Participate in the OpenSSF tech talk to discuss how your company can contribute.	Feature your organization in the quarterly new members announcement. Visibility into and within the ecosystem.	Practical experience working with open source foundations. Internship opportunities with commercial members. Collaboration opportunities.	Publication opportunities based on R&D conducted with projects. Open source working experience for all participants. Access to OpenSSF events.
Identify your organization as a member and display your logo on the OpenSSF website, landscape and in marketing materials.			Provide predictions for media outreach.

43 of 45

Member Benefits: Premier

Q1	Q2	Q3	Q4
Hold one (1) guaranteed seat on the OpenSSF Governing Board + one alternate (1) representative. Appoint one (1) voting representative in any subcommittees or activities of the OpenSSF Governing Board. Set number of free registration tickets to events depending on membership level. Keynote slots at events. Participate in the OpenSSF tech talk to discuss how your company can contribute. Create an individualized press release upon membership announcement with the PR team. Webinars or blog postings.	Receive greater insight into OpenSSF strategy and projects through engagement with the OpenSSF leadership team. Premier level members have the unique opportunity to customize their experience with OpenSSF. The team will make themselves available to help achieve your strategic goals. OpenSSF can help with guidance in open source contributions, new market creation, and/or open source project donation. Have ideas? Just ask! Lottery for highest sponsorship level. Job Board listing opportunities.	Enjoy the most prominent placement in displays of membership, including website, landscape, and marketing materials. Case Studies. Feature your organization in the quarterly new members announcement. Visibility into and within the ecosystem.	Opportunity to host a security training course, Developing Secure Software (LFD121), on member’s Learning Management System (LMS) for unlimited, complimentary access for employees. 50-seat, annual subscription granting access to our library of eLearning courses and certification exams. Each seat gets access to up to two certification exams per year along with unlimited learning. (Benefit requires a signed MSA for training). Run a local event (e.g., Kubernetes Community Days). Ambassador Program. Early access to annual reports. Amplification in Social Media posts Provide predictions for media outreach.

44 of 45

Member Benefits: General

Q1	Q2	Q3	Q4
Participate in elections between only other General members to appoint one (1) representative to the OpenSSF Governing Board. Three (3) total General representatives will be elected to represent all General members. Voice your opinions amongst the leaders in the industry and help determine the strategic direction of OpenSSF. Participate to the OpenSSF tech talk to discuss how your company can contribute. Identify your organization as a member and display your logo on the OpenSSF website, landscape and in marketing materials.	Receive greater insight into OpenSSF strategy and project roadmaps through increased engagement with the OpenSSF General Manager and staff. Create an announcement upon membership announcement with the OpenSSF PR team.	Participate in Marketing, Community, Thought Leadership opportunities. Opportunity to host “OpenSSF Day”, including on-demand webinars and livestream.	Receive discounts on OpenSSF event sponsorships. Demonstrate your support for OpenSSF by displaying your logo on the OpenSSF website, landscape, and in marketing materials. Provide prediction for media outreach.

45 of 45

Member Benefits: Associate

Q1	Q2	Q3	Q4
Participate in Marketing, Community, and Thought Leadership opportunities. Identify your organization as a member and display your logo on the OpenSSF website, landscape, and in marketing materials. Participate in the OpenSSF tech talk to discuss how your company can contribute. Identify your organization as a member and display your logo on the OpenSSF website, landscape and in marketing materials.	Feature your organization in the quarterly new members announcement. Visibility into and within the ecosystem.	Practical experience working with open source foundations. Internship opportunities with commercial members. Collaboration opportunities.	Publication opportunities based on R&D conducted with projects. Open source working experience for all participants. Access to OpenSSF events. Provide predictions for media outreach.