Open konklone opened 9 years ago
I agree that these items should be done for code regardless of whether or not it is open source. However github's documentation (https://help.github.com/articles/remove-sensitive-data/) also states that sensitive data should be removed and explains how. So to me this is just a reiteration of good practices not an implication of higher requirements for open source. If our code is going to be out in the open then a reminder of policy and secure thinking is a good thing in my book. Common sense isn't so common and it's better to remind folks then discover a leak later. :-)
http://blog.nortal.com/mining-passwords-github-repositories/
http://www.securityweek.com/github-search-makes-easy-discovery-encryption-keys-passwords-source-code
If our code is going to be out in the open then a reminder of policy and secure thinking is a good thing in my book. Common sense is so common and it's better to remind folks then discover a leak later. :-)
Totally. One easy way to get both done is to interrupt the list before the last 4 and add something like "And as a reminder, the same things that make closed source secure also make open source secure:" and then continue on.
@konklone @alfred-ortega got it and totally agree. I will segment the list into general reminder for all coding and the above items that are specific to open source. Thanks!!
This section on risk management:
The last 4 items are all things that should be done for all code, not just open source code. By including them as part of an "open source framework", it implies that open source code has a higher need for security and quality review than closed-source code, which is not the case. I'd go so far as to say that a closed-source code base should be managed as if it is open, to avoid making security decisions that depend on the code or business logic remaining a secret.
Instead, I would focus on the security issues that are more specifically relevant to open source, such as separating private configuration details (e.g. passwords or API keys) from public business logic.