secure-development-guide

Welcome to the Secure Development Guide!

The purpose of this guide is to discuss-industry accepted secure development practices specially applied to the open source context. While there are many references and documents freely available on the internet, this guide specifically talks about secure application design and secure development processes and practices.

This guide is divided into two parts. The first part deals with Secure development processes and practices while the second part deals with secure coding practices (Previously called Fedora Defensive coding guide

• What are secure development practices
  • Threat Modeling
  • Code scanning
    • Static Analysis or SAST
    • Dynamic Analysis or DAST
    • Source Composition Analysis
  • Fuzzing
  • Code Audit
  • Manifesting/SBOM
  • Vulnerability Response
  • References
• Secure coding guide

License

Contributing

All types of contributions to this document are welcome. PRs are preferable. For larger changes, it would perhaps make more sense in discussing them beforehand before filing change requests.

Contributors

Contributors to Secure development guide

• Huzaifa Sidhpurwala huzaifas@redhat.com
• Judy Kelly jkelly@redhat.com
• Jeremy Choi jechoi@redhat.com

Original contributors to secure coding guide.

• Florian Weimer fweimer@redhat.com
• Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com
• Robert Relyea rrelyea@redhat.com
• Huzaifa Sidhpurwala huzaifas@redhat.com