Skip to content

SECURITY

Jump to bottom
Shain Singh edited this page Mar 20, 2023 · 3 revisions

Sensible security defaults for the project and code

Listing a set of brainstorming ideas on a page.

non-negotiables

  • any security should NOT break existing developer workflow
  • REDUCE pipeline runtime and run via webhooks and external to build pipeline
  • reduce friction as opposed to add steps in workflow for developer

pre-commit hooks

Refer to @codecowboydotio's thoughts on what makes sense to include in pre-commit hooks

pre-commit.ci looks interesting because:

  • it can be configured with a YAML file in the repository
  • hooks can be in repository pull and installed easily for developers
  • ability to use webhooks for CI to run in cloud via Github Actions (NOTE: need to investigate effectiveness of this as likely too late in workflow for secrets scanning, but may be useful for linters to speed up developer push)

project governance

OpenSSF provides some very helpful tools for projects:

  • use of allstar for ensuring security controls of a Github repository via a Github App (includes permissions for contributors and apps, and branch protection as examples).
    • advantage of allstar is a separate "configuration repo" which does not add configuration into code repository (unless Github App is configured to add issues/PR for any security violations)
  • badge for OpenSSF Best Practices which are a set of requirements to work through during project
  • badge for a scorecard for security based on checks

traceability

  • sbom

    • create a spdx file using syft
    • DO NOT use spdx to create additional un-necessary SAST/SCA checks
    • traceability of libraries and third party software is arguably of more use then 'whack-a-mole' with static vulnerability checks (NOTE: refer to OpenSSF security scorecard for what are useful static security checks)

  • implement code signing

    • need to investigate a better method than PGP, as while signing with PGP means Github will issue 'verified' this is not replicated locally for developers - i.e. a new developer would need the public PGP key to verify themselves
    • finding a better 'circle of trust' - is it a common place like Github and developer onboarding does not have to include sharing GPG public keys with others, or could adding PGP key as part of signing the CODE_OF_CONDUCT be done

  • an interesting model for traceability is the Sigstore project

    • transparent ledger and automatic key management
    • transparency logs can then be used for software supply chain
    • also can fix code signing and developer onboarding scenarios
    • leverages OpenID for developers to generate ephemeral keys which are stored in CA logs
Clone this wiki locally