For many, writing a computer program isn't that hard—it simply requires a certain amount of structural and logical thinking and a clear understanding of the syntax of the language you are using.
Developing software with a greater security posture adds an extra layer of complexity to this process, however, something which not all developers understand or are able to achieve. Open source can help. Open source developers, security researchers and auditors can see your code, spot potential flaws and perhaps even help you make fixes.
This doesn't mean that the developers are free to write insecure software assuming people will correct the flaws or errors for free—it actually means that they now have a greater responsibility to create high-quality code that is free of known vulnerabilities.
Red Hat is in a unique position with respect to software security and open source development. Many of our offerings depend on upstream open source projects. While Red Hat is directly involved in a lot of important projects—either through upstream developers who are Red Hat employees, or through other forms of direct and indirect contributions—there are some projects which are wholly independent.
This presents a unique challenge, but is also an opportunity to test whether consuming enterprise open source software through a vendor like Red Hat helps minimize risk and achieve compliance with applicable U.S. government standards concerning IT security best practices.
What do we do for our customers?
Secure Software Development processes are important during software development. Design and code validation can help post development as well, before the code is compiled and shipped to customers. Red Hat runs a plethora of processes before actually shipping software to our customers, including:
-
Code scanning: This process involves scanning source code before it is compiled to better detect security flaws and weaknesses. This helps us identify and fix issues in early stages. This process can detect issues in the way code is written but cannot detect design or logic mistakes. Early detection is important for Red Hat, as it helps to protect not only our customers but also the open source community as a whole, as the security patches are sent upstream so everyone can benefit from the fix.
-
Threat modeling: This process helps identify potential threats, design issues and other higher-level things not covered by code scanning or code audits. This helps us determine which software security controls an application needs in order to set effective countermeasures against potential threats. This also helps us resolve problems early on, cost-effectively improving the security posture of any application.
-
Software bill of materials (SBOM): Open source products are usually composed of many smaller projects, so knowing exactly what you are shipping is an essential step in understanding the security posture of those products. This also helps Red Hat Product Security in effective vulnerability management.
6 tips for open source developers
If you are an open source software developer or project lead, there are several things you can do to help develop software that is more secure.
1. Learn everything you can
Learning about security and how to develop code securely is a good starting point. There are several resources which are available online, most of which are free (in the true open source spirit), including:
-
Secure Software Development Fundamentals Courses from OpenSSF is an excellent starting point.
-
Red Hat Developers' You've Got Microservices... Let's Secure Them! talks about securing microservices and includes links to other secure coding guides.
-
The Fedora project defensive coding guide is a good starting point if you want to learn language specific quirks, etc.
-
Also try looking at the CVE database of previously found security flaws. These often contain links to references and can be an important way to learn how these vulnerabilities were caused in the first place.
2. Get your code peer reviewed
-
If you are a team of developers then great, you already have teammates who can peer review your code before you commit.
-
If you are a sole developer, no problem! Asking for help on public forums or mailing lists should be fine. Just get another set of eyes on your code—it always helps!
3. Use free security tools
-
There are plenty of free security analysis tools available on the internet. These range from free source code scanners to threat modeling tools and even binary analysis tools which you could use.
-
Even those which provide basic functionality for free can help provide important insights into your project.
4. Have a process to respond to vulnerabilities
-
Secure software development is not only about detecting flaws early, but is also about responding to issues that are detected after code has been shipped to customers and users.
-
Have a place to report security issues—probably an email address—and make sure this is properly advertised on the project page. Some reporters only like to send encrypted emails, so think about how you want to handle this.
-
Respond to reporters in a timely fashion. Any issues fixed should also be converted to security advisories and prominently displayed on the project page so that customers and users know if their version of software is vulnerable or not.
5. Network and keep yourself updated
-
Doesn't this apply for everything? As a developer you keep yourself updated with the latest technologies or even the newest languages, so spend a few extra cycles to stay up to date on the latest attacks and the newest tools available. In the end it should all be worth it!
6. Understand your weakest links
We all know the proverb: A chain is only as strong as its weakest link. This is also true for secure software development. As a developer, you use all methods you can to make your code as secure as possible, but there are other factors at play. Here are some things to keep in mind.
-
How secure is your build toolchain? If you are distributing pre-built binaries along with your code, how secure are your compilers, linkers and other build toolchain components? Are you using the correct flags while building?
-
Where is your source code hosted? If it is a cloud-based git repository, who else has access to the code, and how secure are your credentials?
-
Do you sign your source-code tarballs? Do you use any modern tools like sigstore to ensure transparency?
Conclusion
Thinking about securely developing your code is a process, and it takes time to train developers and reviewers to have the right mindset for this process. In the end, however, a diligent process helps both the consumers of the code as well the developers. If you're a developer, there is plenty of help available and it is only a question of learning the right methods and tools to get on the right path.
Learn more
저자 소개
Huzaifa Sidhpurwala is a Senior Principal Product Security Engineer - AI security, safety and trustworthiness, working for Red Hat Product Security Team.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.