Create a GitHub security best practices guide #102
Comments
SecurityCRob
added
Vote
good first issue
|
I support the idea – AND I would like to make sure that the output of this work remains vendor neutral as per OpenSSF values. For example, we had this discussion when it came to the concise guide's wording about dependabot see point 7. |
|
@torgo I agree many concepts and ideas are similar between the source code management platforms. How would you handle the many SCM-specific features and configurations in such a document? |
|
We discussed an approach in the call this week which I would characterize as "genericize where possible." So for example if turning on MFA is a best practice then we say that and provide information/links to how to do this on the most commonly used services. The group also resolved to work on this as a work item. |
|
I'm interested in helping out. |
|
I am interested in helping out |
|
I'd like to help |
|
I recommend renaming to "Forge Best Practices Guide" or similar. SCM is bigger than GitHub/GitLab/etc. The conventional name for these kinds of systems are "forges" (descended from "SourceForge" which trailblazed the space), let's use that. |
|
"SCM Platform Best Practices" maybe? TBH I am not sure I've heard "Forge" used that much in the wild... |
I was about to comment on that as well. I get the historical reasoning behind calling these types of systems "forges", but as far as I know it is not an industry term that is much in use all round. I think generalizing to SCM is the best way forward. |
|
Some thoughts on this topic from a developer enablement and DevOps perspective. RE: Best Practices NamingSCM or VCS are the terms I hear most often used with tools like GitHub. A couple of thoughts, though... RE: Generic vs tool-specific guidanceCan we adopt a pyramid approach where we set up the high-level and generic guiding principals up front, and then release best practices guidance that map to those for specific platforms like GitHub? It seems like this would be the best of both worlds and would encourage us to "eat our own dogfood" on the mapping to make sure it actually works. It would provide a relatively easy framework to add to over time. RE: Usability and PracticalityLooking through a lot of the existing recommendations out there, and, specifically the ones linked in the OP, I do think we have to be mindful on how these recommendations will affect developer workflows. A specific example is |
|
The term "forge" has a long history in industry, and even a Wikipedia page going back to 2008: Forge(software). A problem with term "software configuration management" is that I don't think we intend to include the full meaning implied by software configuration management. In particular, in many circles "configuration" is generally understood to cover changes typically made by a system administrator. |
I always thought SCM was Source Code Management / Manager. I suppose it is an overloaded term, but I have never heard the term software forge in common parlance. https://stackoverflow.com/questions/2575922/what-does-scm-stand-for |
|
Just to be clear, I think "SCM" Is much better than making it specific to a particular forge, because I expect a lot of overlap. |
|
If we spell out "Source Code Management", it's much clearer. When I hear "SCM" I presume "Software Configuration Management", which as I said, is broader than intended. |
This is probably one of those times when it depends on who is listening, but I have never associated SCM with anything other than "Source Code Management". But what if we are explicit about using the full name in all titles, and then use the shorter SCM after making it clear what we are referring to? |
|
@roberthstrand : Once you clearly define an abbreviation, it's fine to use the abbreviation. It would be prudent to re-introduce the term in various sections if we expect people to take a hyperlink into a specific section (and I do expect that). That's not limited to "SCM", I would do that with any abbreviation that might not be universal. Different communities obviously define "SCM" differently. SCM means "Software Configuration Management" in many circles, my goal is to just help make it clear what it means in this document. |
|
Since we've published the SCM guide we think this is closed. Of course work will continue on the SCM guide - and we encourage people to open new issues or raise PRs related to that document. ✨ |
Proposal:
Creating a single document that compiles GitHub security best practices in a clear and consistent format.
The document will help security teams, DevOps engineers, and developers implement security best practices in the GitHub platform.
Additionally, such a document could assist in the development of software that automatically validates these configurations.
Rationale:
Some Examples:
Other examples can be found here: link
Who we are
We are Legit Security, a cybersecurity company that aims to secure SDLC and prevent software supply chain attacks. We have in-depth knowledge in the field of SDLC misconfigurations, and we'd love to help create this document.
The text was updated successfully, but these errors were encountered: