The State Of Secure Software Development - Three OpenSSF Courses
Written by Nikos Vaggalis   
Monday, 23 November 2020

The Open Source Security Foundation has recently launched three brand new and free courses on Secure Software Development, which are hosted on edX.

Nowadays every company is a software house regardless of the business it is in be it finance, manufacturing or healthcare. To provide value, businesses have to communicate through software applications built in-house or by a third party.

The problem is that cyberattackers will attack those applications, probing them to uncover vulnerabilities to exploit and get access to your internal networks, steal company and customer data or just create havoc.

These vulnerabilities occur because of bugs in the software and the most popular way in finding and fixing those bugs is by applying tooling like SAST to the source code. Still all tools come with limitations. In The future of AppSec and why I joined r2c, Clint Gibler in suggests that:

It’s impossible to find every bug, no matter how advanced your tools are.

Instead he argues the way forward is:

to build secure-by-default libraries and tools that developers can use to prevent entire classes of vulnerabilities by construction, and then make sure developers use them.This is what forward-thinking security teams at companies like Google, Microsoft, Facebook, Netflix, Dropbox, and more believe and have been investing in for years.

For example:

Modern web frameworks like Django, Ruby on Rails, and others have a number of secure defaults and built-in guardrails that make potentially dangerous tasks safe by default, including context sensitive output encoding (prevent XSS), tight integration with object relational mappers (prevent SQL injection), and more. In my and many others’ opinions, this is why overall web security has improved, not all of the fancy bug finding tools we’ve built.

Gibler's conclusion is that:

The future of AppSec is a one-two punch of secure defaults + lightweight enforcement of those defaults.

r2c has a great tool for that enforcement of sensible defaults and it's called Semgrep.You can find more information in my report Semgrep - More Than Just a Glorified Grep.

But how do you, as a library or framework or application developer, even with such custom defaults, come up with secure coding rules? Education is what matters and no tool, however powerful, can replace it. Knowing how to write secure code minimizes the exposure and can mitigate the limitations of the tools.

The complexity of today's software doesn't just require writing the core code with security in mind. It requires security not as an aftermath of the development process, but as an integral part of the CI/CD pipelines. There's even a new principle out there on that very subject; the intersection of DevOps and Security in DevSecOps.

Open Source software is increasing centre stage in today's world and its security is paramount,

the OSS that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

Acknowledging this, last August, the Linux Foundation set up the Open Source Security Foundation (OpenSSF), with the aim of educating developers in:

  • Vulnerability Disclosures
  • Security Tooling
  • Security Best Practices
  • Identifying Security Threats to Open Source Projects
  • Securing Critical Projects
  • Digital Identity Attestation

Shortly after its establishment, this month, the OpenSSF launched three brand new courses that together can lead to a Professional Certificate in Secure Software Development Fundamentals. They set out to educate developers in:

the fundamentals of developing secure software. Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security.

This course will enable software developers to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired.

That's the general outlook but each individual course specializes further. The first one Requirements, Design, and Reuse is the introductory one that goes through:

the basics of security, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider.

This part then discusses how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also discusses how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security.

The second Implementation focuses on:

key implementation issues: input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. It focuses on practical steps that you (as a developer) can take to counter the most common kinds of attacks.

The third Verification and More Specialized Topics moves on to:

how to verify software for security. In particular, it discusses the various static and dynamic analyses approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.

It's this one that goes into SAST and CI too. What you'll learn is

  • Security Verification: How to examine software, include some key tool types, and how to apply them in continuous integration (CI). This includes learning about security code scanners/static application security testing (SAST) tools, software component analysis (SCA)/dependency analysis tools, fuzzers, and web application scanners.

  • Threat modeling/Attack modeling: How to consider your system from an attacker’s point of view and how to apply a simple design analysis approach called STRIDE.

  • Fielding: How to deploy and operate secure software, handle vulnerability reports, and how to rapidly update when reused components have publicly-known vulnerabilities.

  • Assurance cases & formal methods: The basics of approaches to more strongly analyze and justify that your software is secure.

All three courses are on edX and can be taken for free or at $199 if you want a certificate for a single course. If you want the "full program experience" and to be awarded the Professional Certificate on completion of all three, the discounted bundle cost is $535. Regardless of the price, I think that the offering addresses the needs of every software developer out there.


More Information

About OpenSSF

Secure Software Development: Requirements, Design, and Reuse

Secure Software Development: Implementation

Secure Software Development: Verification and More Specialized Topics

Professional Certificate in Secure Software Development Fundamentals

Related Articles

Semgrep - More Than Just a Glorified Grep

Professional Credentials For Computer Science Careers


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Google Reduces Support For Python, Dart And Flutter

There are many reports that Google has removed people from its Python, Dart and Flutter teams and possibly more. What does this say about relying on Google as a source of technology for your projects? [ ... ]

Digital Play Shown To Be Good For Kids

When designed with their needs in mind, video games can benefit children’s well-being. This finding comes research from  UNICEF in partnership with LEGO and the University of Sheffield.

More News

raspberry pi books



or email your comment to:

Last Updated ( Monday, 23 November 2020 )