• Stars
    star
    689
  • Rank 65,628 (Top 2 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

Best Practices for Open Source Developers

GitHub Super-Linter

Anyone is welcome to join our open discussions related to the group's mission and charter.

Objective

Our objective is to provide open source developers with best practices recommendations, and with an easy way to learn and apply them.

Unlike other existing best practices list, we want it to be widely distributed to open source developers and community-sourced. And we want these practices to stick, thanks to an effective learning platform.

Vision

Our vision is to make it easy for developers to adopt these best practices, thanks to:

  • Identifying good practices, requirements, and tools that help open source developers create and maintain more secure software
  • Helping maintainers Learn to write secure software
  • Provide tools to help developers Adopt these good practices into their daily work

Scope

The Developer Best Practices group wants to help identify and curate an accessible inventory of best practices

  • Prioritized according to ROI for open source developers
  • Categorized per technology, language, framework
  • Community-curated

Help build a community

  • Program to attract open source contributors and incentivize them to use and contribute to the inventory

Supply a Learning platform -Any free course can be integrated into the platform

  • The learner can follow a track, track their progress and get badges
  • A suite of exercises are available for each best practice of the inventory

Current Work

Our work is organized into several discrete-yet-related projects that help us achieve our goals:

We welcome contributions, suggestions and updates to our projects. To contribute please fill in an issue or create a pull request.

Related Activities

There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore:

  • SLSA Supply-chain Levels for Software Artifacts - https://github.com/slsa-framework/slsa
    • Purpose - A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity

Quick Start

Areas that need contributions

  • Any topics related to helping developers more easily make more secure software or consumers to better understand the security qualities of the software they wish to ingest

Where to file issues

  • Issues can be reviewed and filed here

Get Involved

Anyone is welcome to join our open discussions related to the group's mission and charter.

Meeting Times

Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the public OSSF calendar

Effort Meeting Times Meeting Notes/Agenda Git Repo Slack Channel Mailing List
Full WG Every 2nd Tuesday 7:00a PT/10:00a ET/1400 UTC Meeting Notes Git Repo Slack Mailing List
Concise Guides - C/C++ Compiler Hardening Options Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC Meeting Notes Git Repo Slack Mailing List
Concise Guides - Source Code Management Best Practices Occurs every 2nd Thursday 7:00a PT/10:00a ET/1400 UTC Meeting Notes Git Repo Slack Mailing List
EDU.SIG Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC Meeting Notes Git Repo Slack Mailing List
EDU.SIG - DEI Subcommittee Occurs every 2nd Tuesday 8:00a PT/11:00a ET/1600 UTC Meeting Notes Git Repo Slack Mailing List
Memory Safety SIG Every 2nd Thursday 10:00a PT/1:00p ET/1500 UTC Meeting Notes Git Repo Slack Mailing List
Scorecard Occurs every 2nd Thursday 1:00p PT/4:00p ET/1800 UTC Meeting Notes Git Repo Slack Mailing List
Security Knowledge Framework - SKF TBD Meeting Notes Git Repo Slack Mailing List

Meeting Notes

Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

Governance

The CHARTER.md outlines the scope and governance of our group activities.

Project Maintainers

Project Collaborators

Project Contributors

  • Aeva Black, Microsoft
  • Jory Burson, Linux Foundation
  • Rosaria Carr, Indeed
  • Riccardo ten Cate, SKF
  • Spyros Gasteratos*, OWASP/CRE
  • Sami Guirguis, TELUS
  • Jonathan Leitschuh*, Dan Kaminsky Fellowship @ Human Security
  • Jeff Mendoza, Google
  • Kara Olive, Google
  • Laurent Simon*, Google/Scorecard
  • Azeem Shaikh*, Google/Scorecard
  • Harimohan Rajamohanan, Wipro
  • Ixchel Ruiz, jfrog
  • Patricia Tarro, Dell
  • Thomas Nyman*, Ericsson
  • Noam Dotan, Legit Security

Licenses

Unless otherwise specifically noted, software released by this working group is released under the Apache 2.0 license, and documentation is released under the CC-BY-4.0 license. Formal specifications would be licensed under the Community Specification License (though at this time we don't have any examples of that).

Charter

Like all OpenSSF working groups, this working group reports to the OpenSSF Technical Advisory Council (TAC). For more organizational information, see the OpenSSF Charter.

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

More Repositories

1

scorecard

OpenSSF Scorecard - Security health metrics for Open Source
Go
4,323
star
2

criticality_score

Gives criticality score for an open source project
Go
1,307
star
3

allstar

GitHub App to set and enforce security policies
Go
1,232
star
4

package-analysis

Open Source Package Analysis
Go
718
star
5

fuzz-introspector

Fuzz Introspector -- introspect, extend and optimise fuzzers
Python
359
star
6

wg-securing-critical-projects

Helping allocate resources to secure the critical open source projects we all depend on.
318
star
7

wg-security-tooling

OpenSSF Security Tooling Working Group
295
star
8

scorecard-action

Official GitHub Action for OpenSSF Scorecard.
Go
244
star
9

malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Go
229
star
10

wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
222
star
11

wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
177
star
12

wg-supply-chain-integrity

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
176
star
13

s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developerโ€™s workflow.
173
star
14

osv-schema

Open Source Vulnerability schema.
Python
173
star
15

secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
CSS
168
star
16

package-manager-best-practices

Collection of security best practices for package managers.
157
star
17

census

๐Ÿ“œAutomated review of open source software projects
HTML
116
star
18

tac

Technical Advisory Council
106
star
19

security-reviews

A community collection of security reviews of open source software components.
Python
91
star
20

wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories
84
star
21

alpha-omega

Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
Open Policy Agent
77
star
22

package-feeds

Feed parsing for language package manager updates
Go
72
star
23

sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Vue
70
star
24

foundation

OpenSSF Governance and Legal Docs
68
star
25

Project-Security-Metrics

Collect, curate, and communicate relevant security metrics for open source projects.
Python
63
star
26

great-mfa-project

The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.
52
star
27

security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.
48
star
28

ai-ml-security

Potential WG on Artificial Intelligence and Machine Learning (AI/ML)
43
star
29

scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
JavaScript
31
star
30

wg-endusers

OpenSSF Endusers Working Group
28
star
31

ossf-landscape

26
star
32

scorecard-webapp

Website and API for OpenSSF Scorecard
HTML
21
star
33

DevRel-community

Evangelizing the mission and work of the OpenSSF and building strong community outreach around end-users, open-source maintainers, and contributors.
18
star
34

toolbelt

17
star
35

education

OpenSSF Education SIG
16
star
36

project-template

OpenSSF Project Template
16
star
37

Memory-Safety

15
star
38

omega-triage-portal

Python
13
star
39

scorecard-visualizer

Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
TypeScript
12
star
40

Diagrammers-Society

OpenSSF Diagrammers Society
10
star
41

OpenVEX

Vuln Disclosure WG's new SIG
9
star
42

SIRT

The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)
9
star
43

community

7
star
44

artwork

OpenSSF Artwork
7
star
45

gb-planning-committee

The Governing Board Planning Committee guides OpenSSF vision and planning including mission, roadmap, milestones and key metrics for success of the overall organization.
6
star
46

oss-researcher-vulnerability-guide

5
star
47

oss-compromises

Archive of various open source security compromises
5
star
48

github-org-access-scraper

GitHub lacks an API for listing an org's repos' access for non-team-based individuals, so, scrape it.
5
star
49

vulnerability-disclosures-whitepaper

4
star
50

S2C2F-attestation-schema-and-tool

Secure Supply Chain Consumption Framework (S2C2F) OSCAL Catalog and tool
Python
4
star
51

Governance-Committee

Governance Committee
3
star
52

disclosure-check

disclosure-check
Python
3
star
53

wg-dei

The Diversity, Equity, and Inclusion Working Group was formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce.
3
star
54

si-tooling

Python
3
star
55

security-metrics-dashboard

3
star
56

homebrew-tap

2
star
57

open-auto-vuln-disclose

open-auto-vuln-disclose
Python
2
star
58

omega-moderne-client

Python
2
star
59

outreach

A place to connect about event and conference engagements
1
star
60

action-web-defn-check

GitHub action for checking a Web Application Definition file
1
star
61

.github

Github configuration
1
star
62

oss-analysis-census2-prototype

Prototype of Census 2 of open source software (NOT MAINTAINED)
Python
1
star
63

scorecard-dependencyanalysis

Scorecard action for checking when new dependencies are added to the repository.
Go
1
star