There are many aspects of secure development. Secure development is a mindset and not just technical know-how of how to code and build securely. It is something which affects all parts of the software development lifecycle. Starting from secure design, to code development, QE, release pipeline, patching, support, security advisories and even documentation.
It is often said that the strength of a chain is the strength of its weakest link, this is rightly applicable to application security as well. Therefore just developer education is not enough, it requires a change in every part of a team that deals with the development of an application.
This document aims to look at some of these practices in brief. The aim is not to provide exhaustive documentation, but to provide enough information, to get everyone excited about the process. It is expected that application project members will seek more information to re-enforce this basic knowledge and think about applying them in their open source projects.
Most people think that Secure Development LifeCycle is something which can only be applied to software created from scratch in a controlled corporate environment. This is not true!!. Secure development practices can be applied to open source software and are even applicable to packagers or application developers who use open source libraries or code.
This guide contains processes which can be applied to code independent of who developed it or what stages of development the codebase is at. It is our opinion that these processes can be easily applied to open source software because a lot of these techniques and tools are more suitable to code that is publicly available.
So buckle up!! And get ready to learn secure software development for open source software!!