terriko: (Default)
terriko ([personal profile] terriko) wrote2017-06-26 04:02 pm

Choosing secure open source packages

This is crossposted from Curiousity.ca, my personal maker blog. If you want to link to this post, please use the original link since the formatting there is usually better.

I wrote a pair of blog posts for work that came out last month!



Many developers don’t feel qualified to make security decisions. In many ways, that’s a perfectly healthy attitude to have: Security decisions are hard, and even folk with training make mistakes. But a healthy respect for a hard problem shouldn’t result in decisions that make a hard problem even harder to solve. Sometimes, we need to recognize that a lot of architectural decisions in a project are security decisions, whether we like it or not. We need to figure out how to make better choices.


The posts are about how to do very simple security risk assessments on open source packages, so you can make more informed choices about what you include in your code and get a sense of what makes a library look scary to security folk. They’ve got lots of real life examples of things we’ve seen, good, bad and embarrassing, and there’s a nice scorecard at the end that you can use to help you do quick assessments of your own. There are even some cat memes included!



I’m pretty proud to be able to share some of the things we’ve learned about open source security risk with the greater world and these posts fall in the category of “things I’ve made” so I thought I’d link them here. Hope you like them!


Post a comment in response:

From:
Anonymous (will be screened)
OpenID (will be screened if not on Access List)
Identity URL: 
User (will be screened if not on Access List)
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.