Seven Best Practices to Secure Your Open Source Components
Open source software accelerates innovation and development cycles, encourages community engagement and knowledge sharing, and promotes transparency through external reviews and contributions. Writing open source software can also lead to faster turnaround times, lower costs, and easier license management. At Salesforce, open source is an important cornerstone of our business. The Commons Program supports the open source community to bring innovation on the Salesforce platform for nonprofits and schools.
Because open source software is community-driven with multiple contributors, it’s important to know and understand open source security best practices to secure your components and protect them from potential threats and vulnerabilities. Let's review the best practices you should follow to secure your open source code.
Secure Coding Practices
Adopt secure coding practices, such as Salesforce’s Secure Coding Guidelines, that address securely handling sensitive data, input validation, output encoding, and avoiding direct use of user input in queries. And remember to always choose an industry standard secure encryption algorithm and hashing for sensitive data, in rest and in transit. This will not only remove the commonly exploited software vulnerabilities, but helps to prevent long term costs to fix the vulnerable code.
Protect Your Credentials/Secrets
Never hardcode sensitive information like passwords or API keys in your code. If API or encryption keys are committed to the codebase, attackers can gain unauthorized access to your servers, databases, or development tools. Remember to always scan your codebase using a credential scanner, such as the Salesforce Code Scanner Portal (for Salesforce customers and partners), to prevent credential and secret leakage.
Remove Sensitive Data and Information
Apart from these secrets, open source code may contain sensitive information which can potentially leak internal system configuration details. This can include hard coded internal IP addresses and personally identifiable information (PII) in developer comments, which can leak sensitive information.
It's important to clear your GitHub history after removing the sensitive information, and to implement proper error handling to avoid exposing sensitive data. Additionally, be sure to adhere to the data classification standards and policies at your organization, and follow this practice while writing open source code base. Check out the Secure Coding Guide to learn more about storing sensitive data.
Minimize External Dependencies
If possible, minimize the use of external dependencies in your open source code. Adding external libraries or dependencies mean you are relying on third party library developers for the quality control of their code, but they may no longer actively develop and maintain these libraries. By using external libraries, you increase your risk and add potential attack surfaces in your open source software.
Lock Down Third Party Libraries
To ensure you are using the most secure external dependencies (e.g., third party libraries and code), it’s crucial to establish a regular schedule to review and update them with the latest releases and security patches. Vulnerabilities in outdated versions can be exploited by malicious actors, leading to potential security breaches. When integrating third party libraries, keep a list of all the external libraries integrated in the code and be sure to verify their security record, track vulnerability databases, review their community support, and ensure the libraries are actively maintained.
Secure Your Repository
Minimize risk by following the GitHub repository security best practices. Also look for additional control practices which are followed in your organization. Some of them are:
- Manage access to your repository: Mandate multi-factor authentication on all the GitHub accounts for all your contributors. Revoke access for the contributors who are no longer in the project.
- Add a SECURITY.md file: Apart from this, one should include a SECURITY.md file that contains all the security information about your project. This SECURITY.md should have disclosure policy, security update policy, security related configuration best practices, known vulnerabilities, and future roadmap.
- Rotate SSH Keys and personal access tokens: Be sure to rotate both SSH Keys and personal access tokens periodically to minimize leakage.
- Deprovision apps: As a responsible administrator in an organization, be sure to periodically review open source code projects that are no longer maintained and require deprovisioning.
SAST Scanning and Security Review
Regular code scanning and security review of your repository helps identify security issues at early stages and reduces the likelihood of any major security issues arising later. Static code analysis tools can identify common security flaws, while dependency vulnerability scanners can highlight any known issues in your project's dependencies. Additionally, consider using security-focused continuous integration and continuous deployment (CI/CD) pipelines to automate security checks throughout your development process.
Securing your open source code is essential to protect your project and its users from potential vulnerabilities and breaches. By following these best practices, you can minimize security risks and build trust in your open source projects. Remember, security is an ongoing process, so continue to stay vigilant, adapt to emerging threats, and keep your codebase up-to-date with the latest security measures.