With the recent backdoor exploit of the xz
package, security is on several people's minds. It has always been critical to be aware of security topics such as Cross-Origin Resource Sharing (CORS), Content Security Policies (CSP), avoiding cross-site scripting attacks (XSS), and subresource integrity among other security topics. Still, many of us either do not have the time or the money to learn these and other related security topics.
- How to determine whether you are affected by the
xz
backdoor using Socket.dev - The deeper need the
xz
exploit demonstrates - Resources to help protect developers (humans) from attacks similar to the xz backdoor compromise
With my involvement in the open-source world and wanting to ensure that the projects I maintain and contribute to are secure, I decided to take a look at what the Linux Foundation has to offer in terms of course material. Having previously studied for and taken the Node.js Developer exam, I found their content to be good and up-to-date.
I was pleasantly surprised to find that they have quite a few courses aimed at what they have classified as beginner (we are all beginners at some time) friendly courses. Not only that, but all of these courses are free! I am planning to work my way through them so, I thought I would share the list of courses here for ease of access for myself, and all of you who might be interested in sharpening your security knowledge.
Let's dive in.
Secure Software Development: Requirements, Design, and Reuse
This course discusses the basics of security, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. This part then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security.
The Secure Software Development: Implementation
This course focuses on key implementation issues: input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. It focuses on practical steps that you (as a developer) can take to counter the most common kinds of attacks.
Secure Software Development: Verification and More Specialized Topics
This course discusses how to verify software for security. In particular, it discusses the various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.
Developing Secure Software
Modern software is under constant attack, but many software developers have never been told how to effectively counter those attacks. This course works to solve that problem, by explaining the fundamentals of developing secure software. This course covers the following topics:
- This first part of the course focuses on how to design software to be secure, including various secure design principles.
- How to secure your software supply chain, that is, how to more securely select and acquire reused software including open source software.
- The second part of this course focuses on key implementation issues such as input validation, processing data securely, calling out to other programs, sending output, and error handling.
- The third part of the course discusses how to verify software for security using static and dynamic analysis approaches.
Securing Your Software Supply Chain with Sigstore
This course will introduce you to Cosign, Fulcio, Rekor, and the Policy Controller, the tools under the Sigstore umbrella, explaining how they support a more secure software supply chain. You will learn how to employ these tools throughout your software development, testing, and distribution processes. Additionally, those who use or implement your software will be able to verify its authenticity through tamper-resistant public logs.
Understanding the OWASP® Top 10 Security Threats
By the end of this course, participants will acquire a comprehensive understanding of the OWASP Top 10 Security Threats, empowering them to identify and mitigate vulnerabilities, understand exploitation techniques, and apply risk management for web app security.
GitHub Supply Chain Security Using GitGat
This course starts by providing an understanding of the risks regarding a GitHub account, Github’s account types and their security ramifications, Github’s access controls, Github branch-protection rules, and OPA concepts. This course will equip you with the knowledge to correctly assess your own your organization’s GitHub account security posture using the GitGat open-source tool, correctly set up basic GitHub security posture, whether you’re an individual or run a GitHub organization, and set up the state for the GitGat project and know how to set up a continuous security audit of your repositories.
Cybersecurity Essentials
The course discusses security precautions and risks when using technology for personal and professional purposes. It covers strategies to protect information during everyday activities and transactions, prevent exposure to account and data compromises, and identify what to do if a data breach occurs. The course includes real-world scenarios highlighting personal and professional situations and the implications of unsafe practices.
Security Self-Assessments for Open Source Projects
You should be able to articulate the value and initiate the process of a security self-assessment for your project to expedite future joint assessments or security audits.
Securing Projects with OpenSSF Scorecard
You will learn about the different checks provided by OpenSSF Scorecard, how to configure the checks for your environment, and how to automate their implementation.
Automating Supply Chain Security: SBOMs and Signatures
Learn about software provenance, the role of source control, dependency tracking, and the creation of SBOMs. Get familiar with SBOM and signatory tools, and apply to cosign and SLSA workflows with GitHub Actions.
Introduction to Zero Trust
This course discusses the features and characteristics of a Zero Trust Architecture, the different models of trust and use cases, and provides opportunities for hands-on practice with open source tools such as SPIFFE/SPIRE, Open Policy Agent, and Istio service mesh.
Conclusion
That is quite a lot of courses and it is going to take time to work through them, but I believe it is time that we all shift security left and take some of the responsibility of securing our software on us, the software engineers. I also believe this is the case whether you are a frontend, backend, or full-stack engineer. Just like with accessibility, we all need to do our part.
If you are planning on working through all or some of these courses and want a study buddy or start a study group, let me know in the comments. I would love to join you.