Hello π
I started open source a bit naively (like everyone I guess π).
But the more I progress and the more important/popular some of my projects become π. That's great, but at some point you have to deal with a lot of things related to security (like Vulnerability disclosure).
You start to hear and see a lot of scary stories around you π±. Not to mention all the acronyms where you don't understand anything at first π΅ (VMT, CVE, SAST, SCA, CNA ...).
As I was working on an open source security project, I put pressure on myself to be ready. Also as a member of the Node.js Security WG I thought it was an interesting topic and that I was probably not the only one who was worried about not being up to the task π.
So I rolled up my sleeves and tackled the problem πͺ. Here is my feedback/journey on how I improved the security of my NodeSecure GitHub organization.
π We use Node.js and JavaScript (but most recommendations are valid for other ecosystems).
Security Policy and Vulnerability Disclosure
Adding a root SECURITY.md file explaining how developers and security researchers should report vulnerability is important. You don't want a security threat to be turned into a public issue (This gives you time to analyze and possibly fix before disclosure).
β οΈ If you are a developer, never report a security threat using a public GitHub issue. This is a serious mistake. This could even put your business/team at risk.
I don't want to bullshit you, so let me share with you the OpenSSF guide that helped me set up my first reporting strategy: Guide to implementing a coordinated vulnerability disclosure process for open source projects.
I started from scratch by reading this guide and taking inspiration from their templates π€. As a small open source team we don't especially have DNS or mail servers (not even a defined Vulnerability Management Team A.K.A VMT).
I was a bit puzzled to put my personal email as I'm not alone π.
I quickly learned that Github added a new feature to report/create private security issue π. You can enable it in the Security tab (I think it's also now possible to enable it on every repositories at once).
And this is what it finally looks like:
Use OpenSSF scorecard
The OSSF scorecard initiative is really good to assess your project against security best practices. I am not the first to write about this.
You can easily setup the GitHub action workflow by following those instructions.
Once configured, you will have a set of alerts available in the Security tab.
This will give you an overview of the different subjects to improve (workflows, dependencies etc). Each of these alerts contains a full description of the actions to be taken to fix the problem.
I have personally used these recommendations to dig and train myself. The next chapters will help you improve your score.
π’ By the way NodeSecure CLI has a first-class support of the scorecard.
π Enable branch protection
I am a bad student π³. Almost all of my projects had no branch protection on the main / master branch π.
To set up the protection, go to
Settings>Branchesand edit your main branch.
GitHub has quite a few options on the subject π΅. If you don't know what to choose in terms of options, don't check anything (it's ok to begin βοΈ).
If you want to be more restrictive, be careful because it could block you (some options are only viable in projects with many contributors/reviewers).
As far as I am concerned I often choose:
- Require a pull request before merging
- Require conversation resolution before merging
- Require status checks to pass before merging
π² Workflows Hardening
I fell down when I saw all that it was necessary to know to secure workflows with GitHub actions π².
- You must pay attention to the permissions granted to your jobs / GITHUB_TOKEN
- Ensure your GitHub Actions are pinned to a SHA
- Hardening the runner (see the StepSecurity HardenRunner)
- Probably a lot of other stuff I haven't had time to see yet π
Fortunately there is a great free online tool that help you by doing all the hard work (it will open a pull-request and automatically fix issues).
The tool was created by StepSecurity. I had the opportunity to talk with the CEO and they listen to the maintainers which is really cool.
Thanks to them β€οΈ!
Configure Dependabot
It is recommended to use Dependabot for updating your dependencies and GitHub actions (yes, it also supports updating workflows in a secure way π).
You only need to add a .github/dependabot.yml config file. Personally I recommend a weekly interval (with a lot of projects daily is a bit horrible).
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
The StepSecurity tool we have seen in the previous chapter is also capable of doing it π.
Also, think to enable Dependabot alerts in the Security tab. This will allow the bot to open pull-request to fix known vulnerabilities by looking at your dependencies (referenced in package.json or others).
π¬ Adding CodeQL scanning
To enhance security even more you can add a SAST tool like CodeQL. Like scorecard it will report security scanning alert but for your codebase.
Here an example:
A great way to make sure that newly added code does not contain vulnerabilities that were obvious to detect.
π Note that once again StepSecurity can set up the workflow for you.
π Enable Security advisories (and others)
Github Security tab as a lot of cool features that help you maintain the security of your project. If you have followed all my previous chapters, most of them should be enabled now.
Make sure to also enable Secret scanning alerts.
For an organization many of these parameters can be forced on all repositories. Go to Settings > Code security and analysis. You will have the options to enable/disable all.
π‘ OpenSSF Best Pratices program
Previously known as CII-Best-Practices, this program indicates that the project uses a set of security-focused best development practices for open source software.
So I registered my first project on the website. It was a good surprise because it allowed me to question the quality of my documentation and tests π¬.
Seeing the different levels and questions really helps you think about what you're missing (and possibly learn about the concepts you don't know about yet.. Like SBOM).
I am still working on completing the first step/badge for the CLI project which now has a score of 8.7 out of 10 π on the OpenSSF scorecard.
π― Conclusion
That's it for this article. I've covered what I've done/learned in the last couple of months. Here are some really cool additional links π:
- Concise Guide for Evaluating Open Source Software 2023-01-03
- Concise Guide for Developing More Secure Software 2023-01-03
If you work with NPM, I invite you to read our latest article about package managers:
Obviously, I probably still have a lot to learn. But I hope this will help other maintainers/developers β€οΈ.
π Thanks for reading me π
Top comments (1)
TrΓ¨s intΓ©ressant, merci π